Description
Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise versions prior to 3.0.6 contain an unsandboxed remote code execution flaw in the Custom MCP feature, which is used to launch OS commands such as launching local MCP servers. The flaw is triggered by a crafted JSON payload sent to the /api/v1/node-load-method/customMCP endpoint with the header “x-request-from: internal”. Because Flowise implements a minimal authentication and authorization model that, by default, runs without credentials, an attacker can execute arbitrary OS commands from the same network context, leading to full compromise of the Flowise container or host.

Affected Systems

The vulnerability affects all Flowise:Flowise deployments running version 2.2.7-patch.1 and earlier, including the default installations that do not set FLOWISE_USERNAME and FLOWISE_PASSWORD. Any instance where the Custom MCP endpoint is exposed over a network accessible to an attacker is susceptible.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical risk level. The lack of a publicly available EPSS score suggests no large-scale observed exploitation yet, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote: an attacker who can reach the Custom MCP API can trigger the vulnerability. Successful exploitation would grant the attacker the operating‑system privileges of the Flowise process, effectively resulting in a complete platform compromise.

Generated by OpenCVE AI on June 25, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.0.6 or later to apply the vendor fix.
  • Disable the Custom MCP feature or remove the /api/v1/node-load-method/customMCP endpoint if an upgrade is not immediately possible.
  • Enable authentication by setting FLOWISE_USERNAME and FLOWISE_PASSWORD or implement role‑based access control to restrict API access.
  • Restrict network access to the Custom MCP endpoint so that only trusted internal services can reach it.

Generated by OpenCVE AI on June 25, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.
Title Flowise - Unsandboxed Remote Code Execution via Custom MCP
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-78
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T21:41:06.841Z

Reserved: 2026-06-20T01:48:36.755Z

Link: CVE-2025-71336

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T08:45:12Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')