GHSA-9rvc-vf7m-pgm2: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
criticalvulnerability
security
Source: GitHub Advisory DatabaseMay 14, 2026
Summary
FlowiseAI's custom JavaScript function endpoint lacks proper authorization checks, allowing any authenticated user to submit arbitrary code that executes on the server. When the E2B sandbox (an external code execution service) is not configured, the code runs in a NodeVM sandbox (a JavaScript isolation tool) that can be escaped through error object manipulation, giving attackers access to the host system's process and ability to run commands via child_process (the Node.js module for executing system commands).
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Affected Packages
flowise@<= 3.1.1 (fixed: 3.1.2)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-9rvc-vf7m-pgm2
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%