CVE-2026-46442: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /a
criticalvulnerabilityLLM-Specific
security
Summary
Flowise, a tool for building custom AI workflows with a visual interface, had a vulnerability before version 3.1.2 where any user with API access could submit malicious JavaScript code to a function node. When a security key (E2B_APIKEY) wasn't set up (the typical case), this code could break out of its sandbox (a restricted execution environment) and run system commands on the server hosting Flowise.
Solution / Mitigation
Upgrade to version 3.1.2, which patches this vulnerability.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
June 8, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-46442
First tracked: June 9, 2026 at 08:09 AM
Classified by LLM (prompt v3) · confidence: 95%