Description
Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.
Published: 2026-06-23
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise versions prior to 3.1.2 contain operating‑system command injection vulnerabilities in the Custom MCP Server feature. By submitting a malicious MCP server configuration, an attacker can bypass the validateCommandFlags blocklist and the validateArgsForLocalFileAccess checks, allowing execution of arbitrary commands on the host system. This flaw endangers confidentiality, integrity, and availability of the Flowise host.

Affected Systems

All installations of Flowise main product running a version earlier than 3.1.2 are affected. The vulnerability is present regardless of the user role; any Flowise account or API access that can modify chatflows is sufficient to abuse the flaw.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is via a legitimate Flowise account or API key with chatflow update permissions. An attacker could remotely trigger the vulnerable MCP server configuration and execute arbitrary commands on the host, but requires authentication to the Flowise instance.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later where the command injection issue is fixed.
  • Disable or remove the Custom MCP Server feature if it is not required.
  • Restrict user and API permissions by removing view or update permissions for chatflows from accounts that do not need them, enforcing least privilege.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.
Title Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-78
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:05:20.491Z

Reserved: 2026-06-20T01:47:54.000Z

Link: CVE-2026-56274

cve-icon Vulnrichment

Updated: 2026-06-23T13:05:11.340Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')