Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.
Published: 2026-04-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Unsafe serialization of stdio commands in the MCP adapter allows an authenticated user in Flowise to create a new MCP stdio server with an arbitrary command. The attacker bypasses existing sanitization checks, such as validateCommandInjection, validateArgsForLocalFileAccess, and the list of safe commands, by combining a safe command like npx with execution arguments. As a result, the attacker can execute arbitrary shell commands on the host operating system, giving full control over the server where Flowise is running. The vulnerability is classified as CWE‑78, reflecting an operating system command injection flaw. The impact is remote code execution that can compromise system confidentiality, integrity, and availability.

Affected Systems

Flowise AI’s Flowise platform and its flowise-components library are affected. The issue exists in all releases prior to version 3.1.0 of Flowise. Users running any older firmware or build that includes the legacy MCP adapter can be exploited.

Risk and Exploitability

The CVSS score of 10 marks this as a critical flaw. The EPSS score is not available, and it is not listed in the CISA KEV catalog, but the lack of an available exploit metric does not diminish the inherent severity. Exploitation requires a valid authenticated session within the Flowise UI; the attacker must use the http://localhost:3000/canvas interface to add a new MCP. Because the exploit consumes user privileges and creates a new MCP that runs arbitrary code, the attack vector is effectively local to the application’s authentication boundary but can lead to full system compromise. No public proof‑of‑concept is currently documented, yet the fixed nature of the vulnerability and the simplicity of the payload suggest that a motivated attacker could leverage this flaw to achieve remote code execution once authenticated.

Generated by OpenCVE AI on April 22, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Flowise update to version 3.1.0 or later to remove the insecure stdio serialization.
  • If an update is delayed, disable or restrict the Custom MCP configuration so that authenticated users cannot add new MCPs, or remove the stdio adapter plugin entirely.
  • Monitor Flowise logs for unauthorized MCP creation events or unexpected command execution, and enforce strict access controls on the Flowise instance until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c9gw-hvqq-f33r Flowise: Authenticated RCE Via MCP Adapters
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Flowiseai flowise-components
Vendors & Products Flowiseai
Flowiseai flowise
Flowiseai flowise-components

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.
Title Flowise: Authenticated RCE Via MCP Adapters
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Flowiseai Flowise Flowise-components
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:20:11.714Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40933

cve-icon Vulnrichment

Updated: 2026-04-22T13:19:57.512Z

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:19.383

Modified: 2026-04-22T14:17:03.300

Link: CVE-2026-40933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:04Z

Weaknesses