EXECUTIVE SUMMARY:
CVE-2026-46442: A critical missing route-level authorization and sandbox escape vulnerability affects the backend server routing logic of the platform, carrying a severity score of 9.4. The flaw allows any standard authenticated user or low-privileged API key holder to interact with a raw execution endpoint intended for custom scripts. When a secure cloud-hosted sandbox API key is unconfigured, the application silently falls back to executing code inside a local container. Attackers can craft an error-handling payload to force the runtime to leak components of the host architecture, traverse the prototype chain, and tap into system libraries to achieve remote code execution. Organizations must implement swift patching cycles and apply strict environment configurations to prevent local fallback execution models. Mitigating these risks ensures that sensitive endpoints remain gated away from standard user roles and low-privileged access tiers.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46442: A critical missing route-level authorization and sandbox escape vulnerability affects the backend server routing logic of the platform, carrying a severity score of 9.4. The flaw allows any standard authenticated user or low-privileged API key holder to interact with a raw execution endpoint intended for custom scripts. When a secure cloud-hosted sandbox API key is unconfigured, the application silently falls back to executing code inside a local container. Attackers can craft an error-handling payload to force the runtime to leak components of the host architecture, traverse the prototype chain, and tap into system libraries to achieve remote code execution. Organizations must implement swift patching cycles and apply strict environment configurations to prevent local fallback execution models. Mitigating these risks ensures that sensitive endpoints remain gated away from standard user roles and low-privileged access tiers.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/flowise-sandbox-escape-vulnerability-cve-2026-46442-host-rce/