Critical Flowise MCP Bypass Allows Remote Code Execution
Flowise disclosed a critical remote code execution flaw, tracked as CVE-2026-56274, affecting versions before 3.1.2 in the Custom MCP Server feature. The vulnerability stems from multiple OS command injection paths in validateCommandFlags and validateArgsForLocalFileAccess, allowing attackers to configure a malicious MCP server and execute arbitrary commands on the Flowise host. The issue is rated CVSS 9.9 and is remotely exploitable.
Advisories describe three bypass techniques: an incomplete Docker argument blocklist that permits docker build with a remote URL, an npx blocklist bypass where --yes is allowed even though -y is blocked, and a Unix path validation weakness that lets paths beginning with // evade local file access checks for node. Exploitation requires any Flowise account role or API access with view and update permissions for chatflows. Organizations were urged to upgrade to Flowise 3.1.2 or later, review MCP server configurations, and restrict chatflow management permissions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-56274 published for Flowise versions before 3.1.2
CVE-2026-56274 was published describing a critical remote code execution vulnerability in Flowise before version 3.1.2 caused by MCP security bypasses. The entry notes a CVSS 3.1 score of 9.9 and recommends upgrading to Flowise 3.1.2 or later.
Flowise publishes advisory for MCP security bypass RCE
A GitHub security advisory disclosed three bypass techniques in Flowise's Custom MCP Server feature that can lead to arbitrary command execution on the Flowise server. The advisory states the issues affect vulnerable code in validateCommandFlags and validateArgsForLocalFileAccess and require a Flowise account or API access with chatflow view/update permissions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess | Advisories | VulnCheck
vulncheck.com
Open sourceCVE-2026-56274 - Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess
cvefeed.io
Open sourceFlowise MCP Security Bypass Enables RCE · Advisory · FlowiseAI/Flowise · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Flowise Custom MCP Flaw Enables One-Click Remote Code Execution
Researchers disclosed **CVE-2026-40933**, a critical remote code execution flaw in self-hosted **Flowise** deployments tied to the platform’s Custom **MCP** support over `stdio`. The issue lets an authenticated attacker execute arbitrary OS commands with the privileges of the Flowise process by supplying a malicious MCP server configuration, either directly or by embedding it in a shared chatflow. In the demonstrated one-click scenario, importing the crafted chatflow alone can trigger server-side command execution when Flowise enumerates available MCP actions, before any save or run step. **Flowise Cloud** is not affected because `stdio` MCP is disabled, but open-source and enterprise self-hosted deployments are vulnerable by default. Reporting on the flaw said Flowise’s initial mitigation—blocking risky flags for allowlisted commands—does not fix the underlying problem because the feature still launches user-controlled processes, and researchers showed it can be bypassed through environment variables. Recommended defenses include upgrading to **Flowise 3.1.0**, limiting who can add or import MCP configurations, isolating Flowise from sensitive internal systems, and disabling `stdio` MCP unless it is strictly required by setting: ```bash CUSTOM_MCP_PROTOCOL=sse ``` The disclosures also warn that the bug reflects a broader architectural and supply-chain risk for agentic AI platforms that expose unsandboxed `stdio`-based MCP configuration to lower-trust users or untrusted artifacts.
Jun 1, 2026
Active Exploitation of Flowise CustomMCP RCE Exposes Thousands of Internet-Facing Instances
Threat actors are actively exploiting **CVE-2025-59528**, a **CVSS 10.0** remote code execution flaw in the open-source AI platform **Flowise**. The bug affects Flowise versions through **3.0.5** and stems from the `CustomMCP` node unsafely passing user-controlled input into JavaScript execution, allowing attackers with an API token to run arbitrary code with full **Node.js** runtime privileges. Researchers said the issue can be triggered remotely via a crafted HTTP `POST` request without user interaction, leading to operating system command execution, filesystem access, sensitive data theft, and full system compromise. Security researchers observed in-the-wild exploitation originating from a single **Starlink IP address**, while warning that roughly **12,000 to 15,000** internet-exposed Flowise instances sharply expand the attack surface for opportunistic attacks. Flowise disclosed the vulnerability in 2025, credited researcher **Kim SooHyun**, and patched the flaw in **version 3.0.6**. The incident marks the third Flowise vulnerability reported as exploited in the wild after **CVE-2025-8943** and **CVE-2025-26319**, increasing pressure on organizations to upgrade immediately and limit public exposure of Flowise APIs.
Apr 20, 2026
Critical Flowise RCE Vulnerability CVE-2025-61913 Enables Arbitrary File Read and Write
A critical remote code execution vulnerability, tracked as CVE-2025-61913, has been identified in Flowise, a drag-and-drop user interface for building customized large language model flows. The flaw exists in versions prior to 3.0.8 and is caused by insufficient restrictions in the WriteFileTool and ReadFileTool components, which fail to properly validate file path access. This oversight allows authenticated attackers to read and write arbitrary files to any location on the file system, significantly increasing the risk of remote code execution. The vulnerability has been assigned a CVSS score of 10.0, indicating its maximum severity and potential for exploitation. According to security advisories, the issue can be exploited remotely, making it a high-priority concern for organizations using affected versions of Flowise. The vulnerability was publicly disclosed on October 8, 2025, and a security update was released in version 3.0.8 to address the issue. Attackers leveraging this flaw could gain unauthorized access to sensitive files, modify system configurations, or deploy malicious payloads, potentially leading to full system compromise. The vulnerability affects all installations of Flowise prior to the patched version, though the exact list of affected products and vendors has not been fully enumerated. Security researchers emphasize the critical nature of the flaw due to the ease of exploitation and the broad impact on confidentiality, integrity, and availability. Organizations are strongly advised to upgrade to Flowise version 3.0.8 or later to mitigate the risk. The vulnerability was reported through GitHub security advisories, highlighting the importance of monitoring open-source project disclosures. No evidence of active exploitation in the wild has been reported as of the disclosure date, but the public availability of technical details increases the urgency for remediation. The flaw underscores the risks associated with insufficient input validation in file handling components of web applications. Security teams should review their deployment of Flowise and apply the necessary patches without delay. In addition to patching, organizations should audit access logs for signs of suspicious file operations that could indicate attempted exploitation. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability assessments in software development.
Mar 21, 2026