More than 52,000 developers star the Flowise repo on GitHub, but a CVSS‑9.9 flaw now threatens every self‑hosted instance.
Key Takeaways
- Flowise CVE-2026-40933 lets attackers run arbitrary OS commands by importing a malicious chatflow.
- The root cause is a systemic command‑injection bug in Anthropic’s MCP protocol.
- Exploitation can give attackers root privileges in containerized deployments.
- Flowise Cloud is safe; the vulnerability only affects self‑hosted installations before version 3.1.0.
- Obsidian Security released PoC code that opens a reverse shell to Docker’s bridge address.
Historical Context
Flowise entered the open‑source landscape as a drag‑and‑drop platform for building LLM‑driven agents. Its rapid adoption was driven by a low barrier to entry and a vibrant community that contributed plugins, extensions, and ready‑made chatflows. The repository’s star count crossed the 50‑thousand mark early on, signalling a level of trust that many enterprises later used for internal AI projects.
At the same time, Anthropic released the Model‑Control‑Protocol (MCP) as a lightweight way for language models to invoke external tools. The design emphasized simplicity: a standard input/output (stdio) stream would carry commands and results between the model and a host process. Early adopters appreciated the ease of wiring MCP into existing services, and Flowise was among the first to bake the protocol into its node library.
Because MCP was still evolving, the specification left command validation to the implementing application. That omission later proved critical when Flowise exposed a UI path that allowed any user to add a new MCP endpoint. The combination of a permissive protocol and an open UI created a perfect storm for the CVE‑2026‑40933 flaw.
Flowise RCE vulnerability: How the exploit works
Obsidian Security disclosed the issue in April, assigning it the identifier CVE-2026-40933. The NIST advisory describes it as an unsafe serialization of stdio commands in the MCP adapter, which lets an attacker add an MCP stdio server with an arbitrary command and achieve code execution. The vulnerability existed because Flowise before version 3.1.0 allowed any user to add a new MCP and, when doing so, to add any command, enabling code execution on the underlying OS.
In practice, an attacker can craft a chatflow that includes a Custom MCP Tool with a malicious stdio MCP configuration. When a victim imports that chatflow, Flowise’s backend enumerates the MCP server’s tools to populate the “Available Actions” dropdown. That enumeration step actually runs the configured command, so the malicious command executes as soon as the imported flow renders on the canvas.
“Any user who can create or edit chatflows can add a Custom MCP Tool and supply a malicious stdio MCP configuration. In practice, this requires a malicious insider or a compromised user account,” Obsidian notes.
Because the import action is a legitimate workflow, users don’t need to click anything beyond confirming the import. The exploit therefore bypasses typical defenses that look for suspicious binaries or network traffic, making it especially dangerous for teams that trust their internal tooling.
The Anthropic MCP chain of faults
Anthropic’s MCP protocol was designed to let LLM agents call external tools via a simple stdio interface. OX Security called the flaw a “by design” systemic command injection, meaning the protocol itself doesn’t validate the commands it receives. That design flaw propagates through any product that builds on MCP, and Flowise is the most visible example because of its drag‑and‑drop UI and its massive open‑source community.
When Flowise’s Custom MCP node asks the backend to enumerate the server’s tools, the stdio transport starts the configured command. That step is hard‑coded into the MCP spec, so any product that follows the spec inherits the same risk unless it explicitly disables stdio or adds its own validation layer.
Real‑world impact: From Docker bridge to root access
Obsidian published PoC code that, when imported, creates a shell back to Docker’s bridge address for the host. In containerized deployments, the Flowise process often runs as root, so the shell lands with full host privileges. The researchers wrote that successful exploitation leads to “OS‑level execution with the Flowise process’s privileges, often root in containerized deployments. Every credential stored in the platform is readable. Every connected service is reachable.”
Because Flowise in production typically wires into databases, APIs, and cloud accounts, the blast radius scales with whatever it connects to. An attacker who gains root can read API keys, exfiltrate data, and pivot to other services in the same network. That’s why the advisory rates the bug at a near‑maximum CVSS 9.9 score.
Mitigation path: Patching, config changes, and cloud safe harbor
Flowise Cloud isn’t affected, because the SaaS version has stdio MCP disabled by default. For self‑hosted users, the immediate step is to upgrade to version 3.1.0 or later, where the ability to add arbitrary commands was removed. If you can’t upgrade right away, you should disable stdio MCP in the configuration and restrict who can edit chatflows.
- Upgrade to Flowise 3.1.0 or newer.
- Disable stdio transport in the MCP settings.
- Restrict chatflow edit permissions to trusted accounts.
- Audit existing chatflows for any Custom MCP Tools that reference stdio.
- Monitor Docker bridge traffic for unexpected reverse shells.
Obsidian also recommends rotating any credentials that were stored in the platform before the vulnerability was patched, because an attacker could have read them already. That’s a painful step, but it’s the only way to guarantee you haven’t left a backdoor open.
What This Means For You
If you’re running Flowise on premises, you need to treat this as an emergency patch. The exploit is trivial: a crafted JSON file can be shared via email or a code repository, and importing it gives an attacker full control. That means any CI/CD pipeline that pulls in community‑generated chatflows is a potential attack vector. You’ll want to add a gate that scans incoming JSON for the “Custom MCP Tool” key before it reaches the Flowise backend.
Developers who rely on Flowise’s integration with external APIs should also audit those connections. The vulnerability doesn’t just let an attacker run commands; it also lets them read every credential stored in the platform, which could include keys to your cloud accounts, database passwords, and more. If you can’t upgrade immediately, isolate Flowise containers from your internal network and enforce least‑privilege container runtimes.
Competitive Landscape
Flowise isn’t the only drag‑and‑drop AI orchestrator on the market. Several alternatives adopt similar plugin architectures and, in many cases, rely on the same underlying tool‑calling protocols. When a protocol like MCP has a known injection weakness, every product that implements it inherits the same exposure unless it adds a mitigation layer.
Vendors that have already disabled stdio by default, or that ship with a hardened command‑validation sandbox, will appear more attractive to security‑focused teams. Those that still permit arbitrary command strings must either issue a rapid update or provide a clear migration path. The current incident is therefore a litmus test for how quickly competing platforms can respond to a systemic flaw.
Customers evaluating new solutions should review each vendor’s handling of MCP or any equivalent tool‑calling spec. A checklist that includes “stdio transport disabled by default,” “role‑based access control for flow editing,” and “audit logs for custom tool additions” can help separate products that have learned from Flowise’s misstep from those that haven’t.
Key Questions Remaining
- Will Anthropic revise the MCP specification to embed command validation, or will they leave the responsibility to downstream developers?
- How many self‑hosted Flowise deployments remain on versions older than 3.1.0, and what is the realistic timeline for those operators to upgrade?
- Can the community develop a shared scanning tool that automatically flags malicious MCP configurations in imported chatflows?
- What additional safeguards can container orchestration platforms add to prevent a reverse shell from reaching the host, even if a container is compromised?
Looking ahead: Securing AI toolchains
The Flowise incident highlights how a single protocol flaw can cascade through an entire ecosystem of AI‑enabled tools. As more teams adopt drag‑and‑drop platforms to build LLM agents, the attack surface expands beyond the models themselves to the glue code that connects them. That’s why the upcoming AI Risk Summit in August is focusing on supply‑chain hardening for AI ecosystems.
Will the next generation of AI orchestration frameworks learn from this mistake and bake in stricter validation, or will they keep relying on protocols like MCP that were never built with security as a first‑class citizen? Only, but developers can’t afford to wait.
Sources: SecurityWeek, original report
