Enterprises utilizing the light-weight, open-source Flowise platform to energy self-hosted AI workloads now have a brand new near-max-severity difficulty to fret about.
Researchers at Obsidian Safety have detailed a one-click distant code execution (RCE) vulnerability affecting self-hosted Flowise deployments by means of its implementation of Mannequin Context Protocol (MCP) stdio servers.
The issue is basically a sandboxing failure of attacker-controlled MCP configurations, resulting in server-side code execution.
“Submit-auth RCE in Flowise might be triggered with a single click on by way of a malicious chatflow import earlier than any save or run,” the researchers mentioned in a weblog put up. “The official patch depends on enter validation that’s trivially bypassed and fails to handle the basis trigger.”
Flowise is often used to develop inner AI assistants, retrieval-augmented era (RAG) functions, customer-facing chatbots, and autonomous brokers related to enterprise techniques.
The flaw doesn’t have an effect on Flowise Cloud, as stdio MCP is disabled there. For the remainder, the place the characteristic is enabled and is totally crucial, there’s a safety and performance tradeoff builders want to know and actively evaluate server configurations for potential threats, the researchers defined.
As soon as-click RCE impacts every thing Flowise can attain
The vulnerability, tracked as CVE-2026-40933, impacts Flowise’s implementation of MCP stdio servers. MCP’s stdio is designed to launch native server processes and talk with them by means of normal enter and output streams, permitting AI brokers to work together with recordsdata, Git repositories, databases, browsers, and native credentials.
In keeping with Obsidian Safety, the difficulty stems from Flowise permitting customers to configure MCP stdio servers containing arbitrary instructions. As a result of these instructions are in the end executed by the underlying working system, an attacker can obtain distant code execution with the privileges of the Flowise course of.
In containerized deployments, the researchers famous, this could successfully present root-level entry to the setting internet hosting the platform.
The flaw has been assigned a 9.9 CVSS score, with a profitable compromise probably exposing API keys, databases, cloud assets, SaaS functions, and different property accessible by means of Flowise.
Researchers mentioned the fixes fall brief
The disclosure particulars a collection of remediation efforts by Flowise geared toward proscribing how MCP stdio instructions might be configured and executed. In keeping with Obsidian, nonetheless, every iteration relied totally on command validation and filtering mechanisms that may be bypassed beneath sure circumstances.
“Flowise appeared to acknowledge the chance and hardened Customized MCP over a number of rounds,” the researchers famous. “#5232 launched CUSTOM_MCP_SECURITY_CHECK, a default-enabled validation layer for Customized MCP configurations.” Whereas the checks lowered apparent command execution paths, they did little to vary the underlying risk of permitting customers to produce stdio MCP configurations, they mentioned.
Obsidian’s reporting of the flaw triggered additional hardening of the characteristic with flag validation in updates #5741 and #5943. These, too, didn’t totally take away the risk.
When requested to deal with stdio MCP as unsafe by default and require specific opt-in, Flowise reportedly mentioned they needed to “restrict what we all know is dangerous with out fully disabling options that customers might depend on.” Obsidian shared a proof-of-concept (POC) exploit demonstrating how Flowise’s present protections might nonetheless be bypassed to realize profitable RCE.
The one full mitigation really helpful by the researchers is popping off MCP stdio by setting “CUSTOM_MCP_PROTOCOL=sse”. For individuals who can’t, with out obstructing operations, pinning trusted packages the place potential, and reviewing imported chatflows from untrusted sources may assist, the researchers added.
The article initially appeared on CSO.
