Back to Intelligence

CVE-2024-36791: Flowise RCE Exploitation — Detection and Hardening Guide

SA
Security Arsenal Team
May 30, 2026
5 min read

A critical security vulnerability has been disclosed in Flowise, the popular drag-and-drop user interface for building LLM (Large Language Model) applications. Specifically, exploit code has been published for CVE-2024-36791, a Remote Code Execution (RCE) flaw that allows unauthenticated attackers to fully compromise self-hosted Flowise instances.

The attack vector is particularly dangerous because it requires minimal user interaction—often just a single click to import a malicious "chatflow." Given the rapid adoption of LLM orchestration tools in enterprise environments, this vulnerability represents a high-value target for initial access brokers and ransomware operators. Defenders must assume active scanning for this flaw is underway and prioritize immediate remediation.

Technical Analysis

Affected Product: Flowise (Self-hosted versions) CVE Identifier: CVE-2024-36791 CVSS Score: 9.8 (Critical) Affected Versions: Flowise < 1.6.5

The Vulnerability Mechanism

The vulnerability resides in the application's handling of chatflow imports. Flowise allows users to export and import workflows as JSON files. In vulnerable versions, the application fails to properly sanitize or sandbox the data deserialized during the import process.

  1. Attack Vector: An attacker creates a malicious JSON file representing a chatflow. This file contains crafted payload properties designed to break out of the application logic.
  2. Execution: When a victim (or an attacker with access to the API) imports this file, Flowise processes the JSON. Due to insecure deserialization or prototype pollution, the application interprets the payload as executable code rather than static configuration.
  3. Impact: This results in arbitrary code execution with the privileges of the user running the Flowise process (typically node or a dedicated service account). On Linux servers, this often leads to full server takeover.

Exploitation Status

Public exploit code (PoC) is now available. The PoC demonstrates the ability to spawn a reverse shell simply by importing a JSON file. This lowers the barrier to entry for script kiddies and automated bots. Organizations running Flowise publicly on the internet are at imminent risk.

Detection & Response

Detecting this vulnerability requires identifying the moment the Node.js process (Flowise) spawns unauthorized child processes. Standard web logs may show the API call to /api/v1/chatflows, but the definitive signal of compromise is the execution of system commands.

Sigma Rules

YAML
---
title: Flowise RCE - Suspicious Node.js Child Process
id: 8a4b2c19-1d3e-4f5a-9b6c-2d3e4f5a6b7c
status: experimental
description: Detects potential exploitation of CVE-2024-36791 by identifying the Node.js Flowise parent process spawning a shell or network tool.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2024-36791
author: Security Arsenal
date: 2025/03/05
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/node'
    ParentCommandLine|contains: 'flowise'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
      - '/curl'
      - '/wget'
      - '/nc'
      - '/python'
      - '/perl'
  condition: selection
falsepositives:
  - Legitimate administration by developers testing nodes that execute shell scripts
level: high
---
title: Flowise RCE - Windows Node Spawning PowerShell
id: 9c5d3e20-2e4f-5g6b-0c7d-3e4f5g6a7b8d
status: experimental
description: Detects exploitation attempts on Windows where the Flowise Node process spawns cmd.exe or powershell.exe.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2024-36791
author: Security Arsenal
date: 2025/03/05
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentProcessName|endswith: '\node.exe'
    ParentCommandLine|contains: 'flowise'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Administrative debugging
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Flowise RCE via suspicious child processes
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("node.exe", "node")
| where InitiatingProcessCommandLine contains "flowise"
| where FileName in~ ("bash", "sh", "dash", "cmd.exe", "powershell.exe", "pwsh", "python", "python3", "perl", "curl", "wget", "nc")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Flowise (Node) parent spawning suspicious shells
SELECT Parent.Name AS ParentProcess, Parent.Pid AS ParentPid,
       Name AS ChildProcess, Pid, CommandLine, Username
FROM pslist()
WHERE Parent.Name =~ "node"
  AND Parent.CommandLine =~ "flowise"
  AND Name IN ("bash", "sh", "zsh", "powershell.exe", "cmd.exe", "python", "python3")

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Flowise CVE-2024-36791 Remediation Script
# Checks version and updates to latest patched version

FLOWISE_DIR="/path/to/flowise" # Adjust if running locally without Docker
SERVICE_NAME="flowise"

echo "[+] Checking Flowise status..."

# Check if running via Docker (Common deployment)
if docker ps --format '{{.Names}}' | grep -qi flowise; then
    echo "[*] Flowise detected running in Docker."
    echo "[*] Pulling latest image (v1.6.5+)..."
    # Assuming standard container name usage, adjust as needed
    docker pull flowiseai/flowise:latest
    echo "[*] Restarting container..."
    docker restart $(docker ps -q --filter ancestor=flowiseai/flowise)
    echo "[+] Docker Flowise updated."

# Check if running via npm/pm2
elif command -v pm2 &> /dev/null && pm2 list | grep -qi flowise; then
    echo "[*] Flowise detected running via PM2."
    echo "[*] Stopping service..."
    pm2 stop $SERVICE_NAME
    echo "[*] Updating Flowise..."
    cd $FLOWISE_DIR
    npm update flowise
    echo "[*] Starting service..."
    pm2 start $SERVICE_NAME
    pm2 save
    echo "[+] Flowise updated via npm."
else
    echo "[!] Could not automatically determine Flowise deployment method."
    echo "[!] Please manually update Flowise to version 1.6.5 or higher."
fi

echo "[+] Verifying update..."
# Note: Verification command depends on install method.
# 'flowise --version' usually works if installed globally.

Remediation

To mitigate this vulnerability, organizations must take immediate action to patch vulnerable instances.

  1. Update Immediately: Upgrade Flowise to version 1.6.5 or later. This version contains the fix for the unsafe deserialization flaw.
    • Docker Users: Pull the latest image (flowiseai/flowise:latest).
    • NPM Users: Run npm update flowise.
  2. Verify Configuration: Ensure that your Flowise instance is not exposed directly to the public internet without authentication. If the business requires public access, place it behind a Web Application Firewall (WAF) with strict input validation rules.
  3. Audit Chatflows: If you suspect your instance may have been compromised prior to patching, audit all imported chatflows for suspicious JSON blobs or embedded scripts.
  4. Vendor Advisory: Refer to the official Flowise GitHub repository for the latest security release notes.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureflowisecve-2024-36791rce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action