Loading market data...
← Back to CVE feed

CVE-2026-58057

MEDIUM CVSS 5.0 View on NVD ↗

Description

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'node_options' bypasses the NODE_OPTIONS denylist entry. An authenticated user who can configure a Custom MCP node can thereby inject NODE_OPTIONS --require and execute arbitrary code in the Flowise server context.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Published: Jun 28, 2026 02:16 UTC Modified: Jun 28, 2026 02:16 UTC