Flowise Agent Security Risks

Custom Workflow Agents flowiseai.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (2) ATTACK SURFACE (8.16) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.32
High
Attack Surface
8.16
Critical
Blast Radius
7.75
Critical
Defense Controls
2
Critical
About The Agent

Flowise is an Apache 2.0-licensed open-source platform for building AI agent workflows, deployed via Docker or npm on operator-managed infrastructure. The operator grants the runtime direct access to server-side code execution through NodeVM and Pyodide sandboxes, filesystem reads via built-in file tools, outbound HTTP through API Chain and Custom Function nodes, stored credentials for external service integration, and MCP client connections to arbitrary external servers. Authentication is disabled by default for self-hosted deployments, and every tool attached to a chatflow fires autonomously without per-action approval in the documented default configuration.

About the AI Risk Quadrant

Exposed Giants characterizes agents that combine a high attack surface with a high blast radius while offering minimal defense controls on their default configuration. Flowise fits this profile through multiple independently confirmed remote code execution chains across distinct components, container-root privilege escalation, arbitrary filesystem access, and credential exposure — all reachable without authentication in the default deployment. Defense controls are limited to a single sandbox layer that has been publicly escaped multiple times, with no input filtering, output guardrails, or security monitoring active unless the operator explicitly configures them.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Flowise presents a broad default-configuration risk surface with unauthenticated code execution paths, sandbox escapes, credential leaks, and no input or output filtering in place.

Key Input Risks
Flowise accepts unauthenticated prompts, file uploads, and MCP tool outputs through web chat, REST API, embedded widgets, and webhooks with authentication disabled by default. Prompt injection through CSV and Airtable agents bypasses server-side pattern validation to achieve remote code execution without authentication (CVE-2026-41264, CVE-2026-41138).
Key Execution Risks
Flowise executes code through NodeVM and Pyodide sandboxes that have both been publicly escaped, and through the CustomMCP node's unsandboxed Function() constructor confirmed actively exploited (CVE-2025-59528, CVSS 10.0). No external sandbox is enabled by default, leaving the bypassed internal sandbox as the only execution boundary.
Key Action Risks
Every tool fires autonomously without per-action approval, with Human-in-the-Loop opt-in and limited to specific node types. Container-root shell via NODE_OPTIONS injection (CVE-2026-41268, CVSS 9.8) is the highest default scope, amplified by cross-workspace mass assignment (CVE-2026-46475).
Key Output Risks
Flowise emits unfiltered LLM responses through API endpoints, embedded widgets, webhooks, and streaming interfaces with no output DLP, redaction, or URL sanitization documented. The chatbotConfig endpoint leaks stored API keys and authorization headers without authentication (CVE-2026-41266, CVSS 7.7).
Key Monitoring Risks
Execution traces log to an internal database with a Traces UI, but no anomaly detection, SIEM forwarding, or alerting is documented for the default configuration. Sandbox escapes, credential access, and SSRF events are silent unless the operator configures external monitoring independently.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Flowise combines a near-ceiling attack surface driven by confirmed unauthenticated exploitation with broad host-level blast radius and minimal defense controls that leave every axis exposed.

AIRQ Metrics

The attack-blast imbalance against near-absent defenses places Flowise among agents whose default configuration grants maximum operational capability with minimal built-in containment for the operator.

The per-metric rows below trace each headline score to the kinds of evidence that anchor it, from confirmed exploitation chains to vendor-documented default gaps.

Metric Score Comments
AIRQ Score 4.32 Composite score reflects the convergence of a near-ceiling attack surface, broad blast radius reaching host-level compromise, and minimal defense controls. The evidence base spans critical-severity NVD advisories demonstrating unauthenticated remote code execution through multiple independent chains, GitHub Security Advisories confirming sandbox escapes and credential exposure endpoints, vendor documentation of default-off security controls, and independent threat research confirming active exploitation with near-certain near-term exploitation probability. Every scored axis is anchored on agent-specific evidence rather than class-level inference, and the defense posture is grounded in vendor-published default configurations.
Blast Radius 7.75 / 10 Confirmed exploitation paths terminate at container-root shell access with arbitrary command execution, arbitrary filesystem reads including encryption keys and SSH private keys, unrestricted outbound HTTP to internal network services, and stored credential exposure through unauthenticated API endpoints. The blast pattern reflects a platform whose code execution tier grants full host access upon compromise — file system, network, and credential access are architectural consequences of the execution model rather than independently gated capabilities. Autonomous actions fire without approval gates, though the agent lacks dedicated deployment tooling.
Attack Surface 8.16 / 10 Evidence spans NVD-listed critical-severity remote code execution advisories demonstrated through prompt injection, sandbox escape, parameter override, and Function constructor injection across distinct components. Vendor documentation confirms the default authentication posture and sandbox configuration. Independent threat research confirms active exploitation of at least one chain with near-certain near-term exploitation probability. The attack surface reaches beyond standard prompt injection patterns — the exploitation vectors include server-side parameter overrides, MIME type spoofing, and mass assignment in workspace management endpoints, each representing an architecturally distinct entry point.
Defense Controls 2 / 15 Vendor documentation describes a NodeVM sandbox with dependency allowlisting and an opt-in external sandbox, but the default deployment path runs the bypassed internal sandbox without authentication, input filtering, output guardrails, or security-specific monitoring. The defense score reflects what runs by default — a single sandbox layer that has been independently escaped through multiple public exploits — not what the platform could offer after hardening. Execution trace logging provides runtime observability but lacks anomaly detection or SIEM integration. Rate limiting and domain restrictions are documented but require explicit operator configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Flowise exposes a uniformly elevated surface with confirmed unauthenticated exploitation across prompt ingestion, tool execution, inter-agent communication, output processing, and configuration management channels.

Attack Surface Metrics

The ten-surface bar pattern shows no single chokepoint — exposure is distributed across the full interaction surface with the dominant channels in code execution, inter-agent communication, and configuration management. The architecture delegates all reasoning to external LLMs, executes tool calls through multiple independent sandboxed and unsandboxed paths, and connects to arbitrary external services through MCP clients, creating a surface where attacker-controlled input can reach code execution through any of several independent chains. The uniform elevation reflects an agent whose default configuration treats every interaction channel as a trusted path.

Six of ten attack surfaces carry evidence penalties from independently confirmed exploitation. The confirmed exploitation patterns span multiple architecturally distinct paths: crafted prompts fed to the CSV and Airtable agent nodes evade server-side pattern validation to reach code execution; parameter override through FILE-STORAGE exploits the environment variable handling to inject NODE_OPTIONS for container-root shell access; Function constructor evaluation in the CustomMCP node bypasses all sandboxing entirely; and mass assignment in workspace management endpoints enables cross-tenant boundary violations. Each chain exploits a different subsystem, confirming that the surface breadth is architectural rather than a single overlooked input.

Surface Score Comments
User Input 5 / 4 Flowise accepts unauthenticated prompts via web UI, REST API, embedded chat widgets, and webhooks on the default configuration with authentication disabled. The CSV Agent prompt injection chain bypasses Pyodide forbidden-pattern validation and achieves unauthenticated remote code execution [2]. The AirtableAgent demonstrates an independent prompt injection to RCE path through Pyodide [13]. Authentication is opt-in via environment variables that are unset by default [14], leaving every chatflow endpoint accessible to anonymous callers.
External Data 5 / 4 Flowise ingests external data through file uploads, document loaders, vector database retrievals, and MCP client connections to arbitrary external servers. An unauthenticated file upload bypass via MIME type spoofing enables stored XSS and potential RCE chains [11]. MCP client connections process tool outputs from untrusted external servers without input validation, and RAG document ingestion accepts content from operator-configured external sources without integrity verification [15].
Memory 1 / 4 Session memory uses BufferMemory with no cross-session persistence by default. Persistent memory options through external databases are opt-in and carry no documented integrity verification or access controls beyond the backing store's own authentication [16]. Memory poisoning risk is limited to the current session scope in the default configuration.
Reasoning 3 / 4 Flowise delegates reasoning to interchangeable external LLMs without isolation between the reasoning context and the execution environment [15]. No reasoning-level guardrails, output constraints, or model-specific safety configurations are applied by the platform. The model-agnostic architecture means reasoning quality and safety depend entirely on the selected provider's own controls.
Planning 3 / 4 Agentflow V2 supports autonomous task decomposition with conditional logic, branching, and looping [15]. Plans execute without mandatory human review. The Sequential Agent and custom workflow nodes chain tool calls based on LLM-generated plans, with Human-in-the-Loop available but disabled by default and limited to specific node types.
Tool Execution 5 / 4 The CustomMCP node evaluates user-controlled input through a Function() constructor with full Node.js runtime privileges outside any sandbox, confirmed exploited in the wild [4][12]. Container-root RCE via FILE-STORAGE parameter override and NODE_OPTIONS injection grants arbitrary system commands without authentication [1]. The NodeVM sandbox for Custom JS Function has been escaped via Error object constructor chain [7]. CSVAgent code injection via unsanitized Pandas CSV reads provides a third authenticated RCE path [5]. Pyodide forbidden-pattern validation is bypassed by CSV Agent prompt injection [2].
Orchestration 3 / 4 Agentflow V2 supports multi-agent orchestration with background execution, asynchronous workflow processing, conditional branching, and state management [15]. Custom Tool creation and MCP client configuration support stdio and streamable HTTP transports [18]. Orchestrated workflows execute tool chains without per-step approval gates, and no isolation boundary separates orchestrated agent contexts from each other.
Inter-Agent 5 / 4 MCP client connections to external servers process tool outputs through a code path vulnerable to Function constructor injection, achieving host-level RCE from inter-agent communication [3]. The CustomMCP node evaluates mcpServerConfig as JavaScript outside the NodeVM sandbox, granting host-level process access from any connected MCP server. Cross-workspace assistant takeover via mass assignment demonstrates lateral movement between tenant boundaries [20].
Output Processing 5 / 4 The public chatbotConfig endpoint exposes stored API keys, HTTP authorization headers, and internal configuration without authentication to any caller knowing a chatflow UUID [9]. SSRF in API Chain components allows unauthenticated prompt injection to redirect server-side HTTP requests to internal services [6]. Output responses pass through no content filtering or redaction before reaching downstream consumers via API, embedded widgets, or webhooks.
Configuration 5 / 4 Mass assignment in Assistant endpoints lets workspace members hijack assistants by overwriting the owning workspace identifier across tenant boundaries [20]. Variable update mass assignment breaks tenant isolation in multi-workspace deployments [21]. Authentication is disabled by default, CORS defaults to wildcard, and community nodes are enabled [16]. SSRF protection bypass via built-in HTTP modules in the Custom Function sandbox circumvents deny-list configuration [10].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Flowise processes untrusted prompts and file uploads, accesses stored credentials and server filesystem contents, and communicates externally through API chains, MCP clients, and webhook responses — all in the same session scope on the default configuration.

Lethal Trifecta · Complete (3 of 3)

Flowise exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Flowise accepts prompts, file uploads, and MCP tool outputs from untrusted parties via unauthenticated web endpoints [2], with the CSV Agent and AirtableAgent prompt injection chains confirming that untrusted input drives server-side code execution without additional operator interaction [13].
  • Sensitive data — ReadFileTool traverses the server filesystem without path restrictions, exposing encryption material, database files, and SSH credentials [8], while the chatbotConfig configuration endpoint reveals stored secrets and authorization tokens to unauthenticated callers [9].
  • External egress — API Chain components can be redirected via prompt injection to send server-side HTTP requests to arbitrary internal and external endpoints [6], and the Custom Function sandbox bypass allows unrestricted outbound connections through built-in HTTP modules despite deny-list configuration [10].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Successful exploitation of Flowise grants the attacker container-root shell access, full filesystem traversal, unrestricted network egress, and stored credential exposure — a blast that extends to every resource the containerized process can reach.

Blast Radius Metrics

The six-factor bar pattern reflects a platform whose code execution model grants near-complete host access upon compromise. The three maximum-scored factors — code execution, file system, and network — are architectural consequences of running the agent process with root privileges inside a container that has no filesystem or network isolation beyond the container boundary itself. Credential access falls one tier below because the exposure path runs through a specific leaked endpoint rather than through the general execution model, and deployment tooling is absent from the default configuration.

The confirmed exploitation paths terminate at container-root shell access, arbitrary filesystem reads of sensitive host material, SSRF-driven network egress to internal services, and leakage of stored secrets through unauthenticated configuration endpoints. Each capability has been independently demonstrated through agent-specific advisories — the blast radius is not projected from architecture alone but grounded in exploits that reached these boundaries through distinct platform components.

Factor Score Comments
Code execution 4 / 4 Unauthenticated attackers exploit a FILE-STORAGE parameter override combined with NODE_OPTIONS to obtain root-level shell inside the container [1]. The CustomMCP Function() constructor and NodeVM sandbox escape provide additional independent code execution paths that each terminate at host-level process access [4][7].
File system access 4 / 4 ReadFileTool accepts arbitrary file paths without directory restriction, enabling authenticated callers to extract server-side encryption material, database files, and SSH credentials from the host [8]. Combined with the code execution paths, write access to the full container filesystem is achievable through the root-level shell.
Network access 4 / 4 SSRF via API Chain prompt injection redirects server-side HTTP requests to internal services without SSRF protection [6]. The Custom Function sandbox bypass via built-in HTTP modules circumvents deny-list configuration, granting unrestricted outbound network access [10]. Full network access is also available through the root shell execution paths.
Credential access 3 / 4 LLM provider API keys, database connection strings, and HTTP authorization headers stored in Flowise are retrievable from an unauthenticated configuration endpoint by any caller who possesses a chatflow UUID [9]. Secrets are AES-256 encrypted at rest but decrypted at runtime, and no credential rotation or access auditing is documented for the default configuration.
Autonomous action 2 / 4 Tools attached to chatflows fire autonomously without per-action approval. Human-in-the-Loop is opt-in and limited to specific node types in Agentflow V2 [15]. The autonomous scope covers tool execution, API calls, file operations, and MCP interactions but does not extend to dedicated deployment or infrastructure management capabilities.
Deployment access 1 / 4 Flowise provides no dedicated deployment tools for CI/CD triggers, infrastructure provisioning, or container orchestration management [22]. The code execution paths grant shell access that could theoretically reach deployment systems on the same host, but the agent itself has no deployment-specific tooling in its default configuration.

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Flowise ships with a single sandbox layer that has been publicly escaped, no input filtering, no output guardrails, no per-action approval, and execution trace logging without anomaly detection — leaving the operator responsible for every containment decision.

Defense Controls Metrics

The five-component bar pattern shows near-absent default controls across the board, with only the execution isolation and monitoring tiers registering any presence. The runtime does almost nothing to detect, contain, or report attacks on its own — the NodeVM sandbox is the only active defense control, and it has been independently escaped through multiple confirmed exploits. The operator inherits the full burden of defense from the first deployment onward, with no built-in mechanism to detect prompt injection, sandbox escape, credential theft, or lateral movement.

Only execution isolation and monitoring/audit register any scored presence; the remaining three controls score zero in the default configuration. Vendor documentation describes configurable controls including authentication, CORS restrictions, sandbox options, and rate limiting, but none activate by default. Opt-in mitigations that require explicit operator configuration are not counted toward the score — they reappear as hardening tips that an operator can layer on top of the default posture. The vendor security policy documents remediation SLAs for reported vulnerabilities [17] but no runtime defense is included.

Component Score Comments
Input Guardrails 0 / 3 No input validation, prompt filtering, content scanning, or schema enforcement is documented for the default configuration [16]. Authentication is disabled by default for self-hosted deployments [14]. Rate limiting and restricted domains are available as environment variable settings but require explicit operator configuration to activate.
Execution Isolation 1 / 3 NodeVM sandbox runs by default for Custom JS Function nodes with dependency allowlisting and built-in module restrictions [23]. However, the sandbox was independently bypassed through an Error-class prototype traversal [7], and the CustomMCP node sidesteps it entirely via Function() constructor evaluation [4]. The E2B external sandbox is opt-in and requires explicit API key configuration.
Action Controls 0 / 3 No per-action approval gates, tool-call allowlists, or scope restrictions are applied by default [15]. Human-in-the-Loop nodes are available in Agentflow V2 but disabled by default and limited to Sequential Agent and Agentflow node types. All tools fire autonomously on every chatflow interaction.
Output Guardrails 0 / 3 No output DLP, content redaction, PII masking, URL sanitization, or response filtering is documented for the default configuration. The chatbotConfig endpoint leaks stored credentials without authentication [9]. Output responses pass through no validation before reaching downstream consumers through API, embedded widgets, or webhooks.
Monitoring 1 / 3 Execution Traces UI provides runtime visibility into chatflow and agent execution [19]. No anomaly detection, SIEM forwarding, alerting pipeline, or audit log retention policy is documented for the default configuration. Sandbox escape attempts, credential access events, and SSRF requests are silent without operator-configured external monitoring.

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Flowise can be substantially hardened by enabling authentication, adopting the external sandbox, restricting network egress, and forwarding execution traces to external monitoring — all of which require explicit operator action.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require authentication on every deployment by mandating FLOWISE_USERNAME and FLOWISE_PASSWORD before exposing any endpoint to the network — counters the default unauthenticated access that enables prompt injection to RCE.
  • Configuration Configure CORS_ORIGINS to specific trusted domains and enable API rate limits — counters the default wildcard CORS and unrestricted endpoint access that expose every chatflow to anonymous callers.
  • Engineering Deploy a reverse proxy with WAF rules to filter known prompt injection patterns and validate file upload MIME types at the network edge — counters the absence of built-in input validation.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate external sandbox usage for all code execution by requiring E2B_APIKEY configuration in deployment runbooks — counters the default NodeVM sandbox that has been publicly escaped.
  • Configuration Disable community nodes and restrict the node allowlist to operator-vetted components only — counters the attack surface expansion from CustomMCP and third-party nodes that evaluate input outside the sandbox.
  • Engineering Run containers with a non-root user as the highest-impact single change, then layer read-only filesystem mounts, dropped capabilities, and seccomp profiles — counters the container-root privilege escalation demonstrated through NODE_OPTIONS injection.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Enable Human-in-the-Loop nodes on every workflow that executes tools with network, filesystem, or credential access — counters the default autonomous execution without operator approval.
  • Configuration Restrict MCP client connections to a curated allowlist of trusted servers and disable Custom MCP node creation for non-admin users — counters the Function constructor injection path from external MCP servers.
  • Engineering Implement an API gateway that intercepts tool calls and enforces an operator-defined allowlist before they reach the execution engine — counters the absence of per-action approval gates.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Block public access to the chatbotConfig endpoint and require authentication for all configuration-retrieving API paths — counters the unauthenticated credential exposure through chatbotConfig.
  • Configuration Configure HTTP_DENY_LIST for all internal network ranges and restrict outbound connections — counters SSRF-driven data exfiltration through API Chain and Custom Function sandbox bypass.
  • Engineering Deploy a response filtering proxy that strips API keys, credentials, internal URLs, and PII from all API responses before reaching consumers — counters the absence of output DLP.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Forward execution traces to an external SIEM with alerting rules for sandbox escape patterns, credential access, and SSRF indicators — counters the silent default monitoring.
  • Configuration Enable audit logging for authentication events, configuration changes, and credential access with tamper-resistant external storage — counters the absence of security-specific audit trails.
  • Engineering Implement network monitoring on containers to detect and alert on unexpected outbound connections to internal services and non-allowlisted hosts — counters the SSRF and sandbox bypass paths.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-41268 Unauthenticated RCE via FILE-STORAGE parameter override and NODE_OPTIONS injection; root-level command execution in containerized Flowise (CVSS 9.8). Patched in 3.1.0.
  2. CVE-2026-41264 CSV Agent prompt injection bypasses Pyodide forbidden-pattern validation and executes attacker-controlled Python without authentication (CVSS 9.8). Patched in 3.1.0.
  3. CVE-2025-55346 Dynamic Function constructor injection in CustomMCP node evaluates mcpServerConfig outside NodeVM sandbox granting host-level process access (CVSS 9.8). Patched in 3.0.6.
  4. CVE-2025-59528 CustomMCP node Function() constructor injection with full Node.js runtime privileges; active exploitation confirmed; EPSS 84 percent (CVSS 10.0). Patched in 3.0.6.
  5. CVE-2026-41137 CSVAgent code injection via unsanitized Pandas CSV read code; authenticated RCE through Python interpolation (CVSS 8.8). Patched in 3.1.0.
  6. CVE-2026-41271 SSRF in POST and GET API Chain components; unauthenticated prompt injection redirects server requests to internal services (CVSS 8.3). Patched in 3.1.0.
  7. CVE-2026-41272 Authenticated host RCE via NodeVM sandbox escape in Custom JS Function node; Error object constructor chain recovers host process access (CVSS 9.9). Patched in 3.1.0.
  8. CVE-2025-61913 ReadFileTool arbitrary file read via path traversal; authenticated attackers read encryption keys, SQLite databases, and SSH private keys from the host filesystem.
  9. CVE-2026-41266 Public chatbotConfig endpoint exposes API keys and HTTP authorization headers without authentication to anyone knowing a chatflow UUID (CVSS 7.7). Patched in 3.1.0.
  10. CVE-2026-41270 SSRF protection bypass via unprotected built-in HTTP modules in Custom Function sandbox; authenticated users reach internal networks despite HTTP_DENY_LIST. Patched in 3.1.0.
  11. CVE-2026-30821 Unauthenticated file upload bypass via MIME type spoofing; enables stored XSS, malicious file hosting, and potential RCE chain (High severity). Patched in 3.0.13.

Selected Research

  1. SonicWall Capture Labs analysis of CVE-2025-59528 SonicWall confirms active exploitation of CustomMCP code injection and places EPSS at 84 percent in the 99th percentile for near-term exploitation probability.
  2. CVE-2026-41138 AirtableAgent prompt injection bypasses intended LLM behavior and triggers RCE through Pyodide by returning a malicious Python payload (CVSS 8.3). Patched in 3.1.0.

Vendor Documentation

  1. Flowise application-level authorization Vendor documentation describes Passport.js JWT authentication, token lifecycle, session management, and security recommendations for production deployment.
  2. Flowise Agentflow V2 Vendor documentation describes multi-agent orchestration architecture, Custom Function nodes, MCP integration, Human-in-the-Loop nodes, and state management.
  3. Flowise environment variables Vendor reference for configurable environment variables including CORS, authentication tokens, sandbox settings, storage backends, and network controls.
  4. Flowise security policy Vendor security policy documents vulnerability reporting via GitHub Security Advisory, remediation SLAs of 30 business days for critical and 60 for high.
  5. Flowise tools and MCP integration Vendor documentation describes Custom Tool creation, MCP client configuration for stdio and streamable HTTP transports, and Custom Function node capabilities.
  6. Flowise introduction and feature overview Vendor product overview documents the visual builder, tracing, evaluations, HITL, API and SDK access, teams and workspaces, and security controls including RBAC and SSO.

Other Sources

  1. CVE-2026-46475 Mass assignment in Assistant create and update flow allows any authenticated workspace member to overwrite workspaceId and take over assistants across workspace boundaries.
  2. CVE-2026-42861 Mass assignment in variable update endpoint allows authenticated users to reassign variables to arbitrary workspaces, breaking tenant isolation in multi-workspace deployments.
  3. Flowise product homepage Vendor positions Flowise as an open-source agentic systems development platform providing modular building blocks for compositional workflows through autonomous agents.
  4. DeepWiki Flowise sandbox security analysis Third-party architectural analysis documents NodeVM isolation with dependency allowlisting, built-in module restrictions, context isolation, and MCP protocol security checks.