Describe the bug
An RCE vulnerability in the Automation Workflows "Custom Code" block allows any authenticated user to execute arbitrary Node.js code as root. Critically, this RCE enables a user to read the workflow code (and potentially data) of other users in real time, resulting in a cross-tenant data breach. Tested using a second account. This exploit has a race condition.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'app.aixblock.io', make an account
2. Click on 'Automation Workflows', then 'Flows', then 'New Flow', then 'From Scratch'
3. Select any first trigger
4. Select the 'Custom Code' block by scrolling down in the 'Core' section
5. RCE vulnerability; execute arbitrary Node.js code and read the workflow code of other users

Expected Behavior
Custom code was not expected to give access as root and to give access to other users' data.

Impact Statement
This breaks all tenant isolation, exposes possibly proprietary business logic, and could lead to theft of sensitive data / secrets / IPs. In a multi-tenant SaaS environment, this is a potentially critical security failure.

Desktop:

• OS: Windows 11
• Browser: Chrome and Edge
• Version: Latest