Enterprises utilizing the light-weight, open-source Flowise platform to energy self-hosted AI workloads now have a brand new near-max-severity concern to fret about.
Researchers at Obsidian Safety have detailed a one-click distant code execution (RCE) vulnerability affecting self-hosted Flowise deployments by way of its implementation of Mannequin Context Protocol (MCP) stdio servers.
The issue is basically a sandboxing failure of attacker-controlled MCP configurations, resulting in server-side code execution.
“Publish-auth RCE in Flowise may be triggered with a single click on by way of a malicious chatflow import earlier than any save or run,” the researchers mentioned in a weblog publish. “The official patch depends on enter validation that’s trivially bypassed and fails to deal with the basis trigger.”
Flowise is usually used to develop inside AI assistants, retrieval-augmented technology (RAG) functions, customer-facing chatbots, and autonomous brokers related to enterprise programs.
The flaw doesn’t have an effect on Flowise Cloud, as stdio MCP is disabled there. For the remaining, the place the characteristic is enabled and is completely obligatory, there’s a safety and performance tradeoff builders want to know and actively evaluate server configurations for doable threats, the researchers defined.
As soon as-click RCE impacts the whole lot Flowise can attain
The vulnerability, tracked as CVE-2026-40933, impacts Flowise’s implementation of MCP stdio servers. MCP’s stdio is designed to launch native server processes and talk with them by way of commonplace enter and output streams, permitting AI brokers to work together with recordsdata, Git repositories, databases, browsers, and native credentials.
In accordance with Obsidian Safety, the difficulty stems from Flowise permitting customers to configure MCP stdio servers containing arbitrary instructions. As a result of these instructions are in the end executed by the underlying working system, an attacker can obtain distant code execution with the privileges of the Flowise course of.
In containerized deployments, the researchers famous, this could successfully present root-level entry to the surroundings internet hosting the platform.
The flaw has been assigned a 9.9 CVSS score, with a profitable compromise probably exposing API keys, databases, cloud sources, SaaS functions, and different belongings accessible by way of Flowise.
Researchers mentioned the fixes fall brief
The disclosure particulars a sequence of remediation efforts by Flowise aimed toward proscribing how MCP stdio instructions may be configured and executed. In accordance with Obsidian, nevertheless, every iteration relied totally on command validation and filtering mechanisms that may be bypassed underneath sure situations.
“Flowise appeared to acknowledge the chance and hardened Customized MCP over a number of rounds,” the researchers famous. “#5232 launched CUSTOM_MCP_SECURITY_CHECK, a default-enabled validation layer for Customized MCP configurations.” Whereas the checks decreased apparent command execution paths, they did little to alter the underlying menace of permitting customers to produce stdio MCP configurations, they mentioned.
Obsidian’s reporting of the flaw triggered additional hardening of the characteristic with flag validation in updates #5741 and #5943. These, too, didn’t completely take away the menace.
When requested to deal with stdio MCP as unsafe by default and require specific opt-in, Flowise reportedly mentioned they needed to “restrict what we all know is unhealthy with out fully disabling options that customers could depend on.” Obsidian shared a proof-of-concept (POC) exploit demonstrating how Flowise’s present protections might nonetheless be bypassed to realize profitable RCE.
The one full mitigation beneficial by the researchers is popping off MCP stdio by setting “CUSTOM_MCP_PROTOCOL=sse”. For many who can’t, with out obstructing operations, pinning trusted packages the place doable, and reviewing imported chatflows from untrusted sources would possibly assist, the researchers added.
The article initially appeared on CSO.
