Critical Remote Code Execution Flaw Discovered in Flowise MCP Server

Flowise has disclosed a critical remote code execution vulnerability, tracked as CVE-2026-56274, affecting versions prior to 3.1.2 of its Custom MCP Server feature. The flaw allows attackers to exploit multiple OS command injection paths in the validateCommandFlags and validateArgsForLocalFileAccess functions. Attackers with any Flowise account role or API access can configure a malicious MCP server, leading to arbitrary command execution on the Flowise host. The vulnerability has a CVSS score of 9.9, indicating high severity and remote exploitability. Organizations are advised to upgrade to Flowise version 3.1.2 or later and review their MCP server configurations. Three bypass techniques have been identified, including an incomplete Docker argument blocklist and a regex bypass in local file access checks. The vulnerability was published on June 23, 2026, and poses a significant risk to affected systems.

Key Points: • CVE-2026-56274 is a critical remote code execution vulnerability in Flowise before version 3.1.2. • Attackers can exploit multiple OS command injection paths with any Flowise account role. • Organizations are urged to upgrade to version 3.1.2 and review their MCP server configurations.