Main Vulnerability Database Vulnerabilities #VU129626

Protection Mechanism Failure in Flowise - #VU129626

Published: November 21, 2024 / Updated: May 4, 2026

Vulnerability identifier: #VU129626

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote attacker to escape the sandbox.

The vulnerability exists due to improper sandboxing in the overrideConfig option when processing user-supplied configuration through the Prediction API or web embed integration. A remote attacker can supply crafted overrideConfig values to escape the sandbox.

This issue is described as reachable through both the API and the web embed integration.

Remediation

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5cph-wvm9-45gj

Protection Mechanism Failure in Flowise - #VU129626

Detailed vulnerability description

Remediation

Sources

Please verify you're human