Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
Flowise: Authenticated User Can Execute OS Commands
GHSA-c9gw-hvqq-f33r
CVE-2026-40933
GHSA-c9gw-hvqq-f33r
Summary
An attacker can execute arbitrary system commands on a Flowise server by creating a custom MCP with a malicious command. This requires a valid Flowise account and access to the server. To fix, update to the latest version of Flowise or restrict user permissions to prevent custom MCP creation.
What to do
- Update henryheng flowise to version 3.1.0.
- Update henryheng flowise-components to version 3.1.0.
- Update flowise to version 3.1.0.
- Update flowise-components to version 3.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | henryheng | flowise |
<= 3.0.13 < 3.1.0 Fix: upgrade to 3.1.0
|
| npm | henryheng | flowise-components |
<= 3.0.13 < 3.1.0 Fix: upgrade to 3.1.0
|
| npm | – | flowise |
<= 3.0.13 Fix: upgrade to 3.1.0
|
| npm | – | flowise-components |
<= 3.0.13 Fix: upgrade to 3.1.0
|
Original title
Flowise: Authenticated RCE Via MCP Adapters
Original description
### Summary
Due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution.
### Details
The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS.
https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L223
https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L177
https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L269
### PoC
Create a new Custom MCP and add an "npx -c" command.
```
{
"command": "npx",
"args": [
"-c",
"touch /tmp/pwn"
]
}
```
<img width="358" height="628" alt="Screenshot 2026-01-12 at 18 32 37" src="https://github.com/user-attachments/assets/d95c1ae2-23a7-4afe-b586-722003baf50e" />
### Impact
This is an authenticated arbitrary command execution due to unsanitized input, even though the input is sanitized, more protections should be added in order to close ways for attackers to execute arbitrary commands.
Due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution.
### Details
The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS.
https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L223
https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L177
https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L269
### PoC
Create a new Custom MCP and add an "npx -c" command.
```
{
"command": "npx",
"args": [
"-c",
"touch /tmp/pwn"
]
}
```
<img width="358" height="628" alt="Screenshot 2026-01-12 at 18 32 37" src="https://github.com/user-attachments/assets/d95c1ae2-23a7-4afe-b586-722003baf50e" />
### Impact
This is an authenticated arbitrary command execution due to unsanitized input, even though the input is sanitized, more protections should be added in order to close ways for attackers to execute arbitrary commands.
ghsa CVSS3.1
10.0
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r
- https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-acros...
- https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemi...
- https://github.com/advisories/GHSA-c9gw-hvqq-f33r
- https://github.com/FlowiseAI/Flowise Product
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026