Back

Critical RCE Vulnerability Discovered in Flowise's MCP Implementation

Severity: High (Score: 72.0)

Sources: www.obsidiansecurity.com, Csoonline

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: flowise, security, researchers, obsidian, open-source, platform, stdio

Severity indicators: vulnerability, rce, pla

Summary

Obsidian Security identified a critical one-click remote code execution (RCE) vulnerability in Flowise (CVE-2026-40933), affecting self-hosted deployments. The flaw allows attackers to execute arbitrary server-side code by importing malicious chatflows, compromising server environments and sensitive data. Flowise's stdio MCP configuration lacks proper sandboxing, enabling this exploit. Although Flowise Cloud is safe due to stdio MCP being disabled, self-hosted versions remain vulnerable. The current patch relies on input validation that can be easily bypassed, leaving systems at risk. This vulnerability has a CVSS score of 9.9, indicating near-max severity. Organizations using Flowise are urged to review their configurations and consider disabling stdio MCP to mitigate risks. Key Points: • CVE-2026-40933 allows one-click RCE in self-hosted Flowise deployments. • The vulnerability stems from inadequate sandboxing in stdio MCP configurations. • Current patches are insufficient, relying on easily bypassed input validation.

Detailed Analysis

**Impact** Self-hosted deployments of Flowise, an open-source AI workflow platform with over 52,000 GitHub stars, are vulnerable to a critical remote code execution (RCE) flaw (CVE-2026-40933). The vulnerability allows attackers to fully compromise servers by importing a malicious chatflow, risking exposure of server environments, stored credentials, API keys, and connected SaaS/cloud resources. Flowise Cloud users are not affected due to disabled stdio MCP. The flaw impacts enterprises using Flowise for internal AI assistants, RAG applications, customer chatbots, and autonomous agents, with potential root-level access in containerized environments. **Technical Details** The vulnerability arises from Flowise’s implementation of the Model Context Protocol (MCP) stdio transport, which executes user-supplied commands as child processes without sandboxing. Attackers exploit this by embedding malicious MCP configurations in chatflows, triggering arbitrary server-side code execution at import time with Flowise process privileges. The flaw is rated CVSS 9.9 and affects the post-authentication kill chain stage. Attempts to mitigate via input validation (#5232, #5741, #5943) are bypassable. No specific IOCs or malware tools were disclosed. **Recommended Response** Disable stdio MCP by setting the environment variable `CUSTOM_MCP_PROTOCOL=sse` to fully mitigate the risk. For environments where stdio MCP is necessary, enforce strict review and pinning of trusted packages, and scrutinize imported chatflows from untrusted sources. Monitor for unusual child process executions and anomalous MCP configuration changes. Apply the latest Flowise updates but do not rely solely on input validation fixes, as they are insufficient.

Source articles (2)

  • Flowise’s MCP implementation can run ghost commands — Csoonline · 2026-06-01
    Enterprises using the lightweight, open-source Flowise platform to power self-hosted AI workloads have a new near-max severity issue to worry . Researchers at Obsidian Security have detailed a one-cli…
  • When Is Stdio Mcp Actually A Vulnerability — www.obsidiansecurity.com · 2026-06-01
    Security researchers at Obsidian Security discovered a one-click RCE in Flowise (CVE-2026-40933), an open-source platform for building LLM workflows and AI agents with over 52k GitHub stars. An attack…

Timeline

  • 2025-12-05 — CVE-2025-34291 published: Obsidian Security disclosed a critical account takeover and RCE vulnerability in Langflow, enabling full system compromise.
  • 2026-04-15 — CVE-2026-30616 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-15 — CVE-2026-30617 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-15 — CVE-2026-30624 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-21 — CVE-2026-40933 published: Obsidian Security reported a one-click RCE vulnerability in Flowise's MCP implementation, affecting self-hosted versions.
  • 2026-05-21 — CISA adds CVE-2025-34291 to KEV: CISA included CVE-2025-34291 in its Known Exploited Vulnerabilities catalog, indicating active exploitation.

CVEs

  • CVE-2025-34291
  • CVE-2025-65720
  • CVE-2026-30616
  • CVE-2026-30617
  • CVE-2026-30623
  • CVE-2026-30624
  • CVE-2026-40933

Related entities

  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Flowise (Platform)
  • Docker Compose (Platform)
  • Langflow (Company)
  • CWE-78 - OS Command Injection (Cwe)
  • gist.in (Domain)
  • http.in (Domain)
  • 172.17.0.1 (Ipv4)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Docker (Tool)
  • Npx (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed