What happened
Flowise before 2.1.4 exposes an overrideConfig option in both the frontend web-chat widget and the backend Prediction API that is enabled by default. Because there is no allow-list of permitted variables and the feature relies on the vm2 sandbox (which has known escape paths), an attacker can inject arbitrary configuration into a running Chainflow. This enables remote code execution and sandbox escape, denial-of-service via server crash, SSRF to internal endpoints, prompt injection into the underlying LLM, and server variable/data exfiltration. The NVD published the CVE on 2026-06-20 at CVSS 9.8 Critical.
Why it matters
Flowise is one of the most widely self-hosted low-code platforms for building LLM agents, RAG pipelines, and agentic workflows. A single unauthenticated request can give an attacker full control of the host running the AI agent, access to all configured LLM API keys and vector-database credentials, and the ability to silently redirect or manipulate every AI response the platform produces.
Attack vector
Attacker sends a crafted POST to the Prediction API (or embeds payload in the frontend chat widget) with an overrideConfig body that injects configuration into the Chainflow at execution time; because no allow-list restricts which variables may be overridden, the vm2 sandbox can be escaped to achieve OS-level RCE, trigger SSRF to internal services, exfiltrate server-side variables, or inject malicious prompts into the LLM chain
Affected systems
Flowise < 2.1.4
Mitigation
Upgrade to Flowise 2.1.4 or later. Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5cph-wvm9-45gj