Flowise’s MCP implementation can run ghost commands
Summary
A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-40933, has been discovered in self-hosted Flowise deployments. The flaw exists within the implementation of Model Context Protocol (MCP) stdio servers, allowing attackers to trigger code execution with a single click via a malicious chatflow import. This vulnerability could grant attackers root-level access in containerized environments.
IFF Assessment
The discovery of a critical RCE vulnerability that can be triggered with a single click represents significant bad news for defenders, as it exposes a widely used AI platform to easy compromise.
Severity
This vulnerability allows for remote code execution with minimal user interaction (single click import), impacting confidentiality, integrity, and availability, and is easily exploitable through the network.
Defender Context
Defenders using or supporting Flowise deployments should prioritize patching this vulnerability immediately. The ease of exploitation and potential for high-level access means that any exposed instances are at significant risk. This highlights the need for robust input validation and sandboxing in AI orchestration platforms.