CVE-2024-58351

CRITICAL 9.8

Flowise - Remote Code Execution via overrideConfig Parameter

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users.

CWE	CWE-94
Vendor	flowise
Product	flowise
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new critical vulnerabilities affecting flowise flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Flowise / Flowise

0 < 2.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5cph-wvm9-45gj vulncheck.com: https://www.vulncheck.com/advisories/flowise-remote-code-execution-via-overrideconfig-parameter

Credits

🔍 ryanhalliday