CVE-2026-58057 Overview
CVE-2026-58057 affects Flowise versions before 3.1.3. The flaw resides in the Custom Model Context Protocol (MCP) stdio environment variable validation logic. Flowise compares environment variable names against a denylist using a case-sensitive check. On Windows, environment variable names are case-insensitive, so supplying node_options bypasses the NODE_OPTIONS denylist entry.
An authenticated user with permission to configure a Custom MCP node can inject NODE_OPTIONS --require and execute arbitrary code in the Flowise server process context. The weakness is tracked under [CWE-178] (Improper Handling of Case Sensitivity).
Critical Impact
Authenticated attackers on Windows Flowise deployments can achieve arbitrary code execution within the server context by bypassing the environment variable denylist.
Affected Products
- Flowise versions prior to 3.1.3
- Flowise Custom MCP stdio node configuration
- Windows-hosted Flowise server deployments
Discovery Timeline
- 2026-06-28 - CVE-2026-58057 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-58057
Vulnerability Analysis
Flowise supports Custom MCP nodes that can spawn stdio-based subprocesses with a user-supplied environment map. To prevent abuse, the application maintains a denylist of sensitive environment variable names, including NODE_OPTIONS. The denylist check performs a case-sensitive string comparison against submitted keys.
On Windows platforms, the operating system treats environment variable names in a case-insensitive manner. When Flowise forwards a variable named node_options to a spawned Node.js child process on Windows, the child process resolves it as NODE_OPTIONS. This produces a semantic mismatch between the validation layer and the execution layer.
Successful exploitation requires an authenticated user who can configure a Custom MCP node. The impact is code execution inside the Flowise server process, enabling secret theft, lateral movement, and pipeline tampering.
Root Cause
The root cause is improper handling of case sensitivity [CWE-178] in the denylist enforcement logic. The validator applies a byte-for-byte comparison, while the downstream Windows runtime performs case-insensitive lookups. Any denylist relying on exact-case matches fails on this platform.
Attack Vector
The attack requires network access to the Flowise interface and low-privileged authenticated access sufficient to edit Custom MCP node configuration. The attacker submits a node_options environment entry with a payload such as --require=\\path\\to\\malicious.js. When Flowise spawns the Node.js MCP subprocess on Windows, NODE_OPTIONS is honored and the attacker-controlled module loads before any application code executes.
For technical exploitation details, see the VulnCheck Security Advisory and the published GitHub PoC Repository.
Detection Methods for CVE-2026-58057
Indicators of Compromise
- Custom MCP node configurations containing environment keys such as node_options, Node_Options, or other mixed-case variants of denylisted variables.
- Flowise child processes launched with NODE_OPTIONS values referencing --require, --import, or --experimental-loader.
- Unexpected file reads or spawned processes originating from the Flowise Node.js runtime on Windows hosts.
Detection Strategies
- Audit Flowise database records and configuration exports for MCP node env maps containing any case variation of restricted variable names.
- Monitor process creation telemetry on Windows for node.exe invocations with NODE_OPTIONS values referencing external scripts or non-standard module paths.
- Correlate authenticated Flowise API calls that modify MCP nodes with subsequent child process launches from the Flowise service account.
Monitoring Recommendations
- Enable process command-line logging on Flowise Windows hosts and alert on Node.js children with --require arguments.
- Log all Custom MCP node create and update events at the application layer and review them for suspicious environment keys.
- Track outbound network connections initiated by the Flowise process for beacon patterns following configuration changes.
How to Mitigate CVE-2026-58057
Immediate Actions Required
- Upgrade Flowise to version 3.1.3 or later, which corrects the denylist comparison to be case-insensitive.
- Restrict Custom MCP node configuration privileges to trusted administrators only.
- Review existing MCP node configurations and remove any entries containing case variants of NODE_OPTIONS or other sensitive environment names.
Patch Information
The vendor fix is delivered in Flowise 3.1.3. See the upstream GitHub Pull Request for the specific code changes that normalize environment variable names before denylist comparison.
Workarounds
- Run Flowise on Linux or containerized Linux hosts where environment variable name handling is case-sensitive, if upgrading is not immediately possible.
- Disable the Custom MCP stdio node type or block user roles from editing MCP node definitions until the patch is applied.
- Apply a reverse proxy or WAF rule that rejects Flowise API requests containing case variants of denylisted environment keys in MCP configuration payloads.
# Verify installed Flowise version and upgrade
npm list -g flowise
npm install -g flowise@3.1.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

