Critical Vulnerability in Flowise Allows Remote Command Execution via MCP Adapters - cyberpress.org

Critical Vulnerability in Flowise Allows Remote Command Execution via MCP Adapters By AnuPriya April 17, 2026 Categories: Cyber Security NewsCybersecurityVulnerability A newly disclosed critical vulnerability in Flowise, linked to Anthropic’s Model Context Protocol (MCP), is raising serious concerns across the AI and cybersecurity communities. Security researchers at OX Security have identified a systemic design flaw that enables remote command execution (RCE), potentially allowing attackers to fully compromise affected systems. The vulnerability is not limited to a single application. Instead, it originates from the core architecture of MCP, a widely adopted protocol used for communication between AI agents and tools. Because of this, the issue impacts multiple platforms and frameworks built on MCP, including Flowise and several other AI-driven environments. Systemic Risk Across AI Ecosystem Unlike typical software bugs, this flaw stems from an architectural design decision, making it harder to mitigate universally. The vulnerability affects official MCP SDKs across multiple programming languages such as Python, Java, Rust, and TypeScript. The scale of exposure is significant: Over 150 million downloads tied to MCP-based components More than 7,000 publicly accessible MCP servers Up to 200,000 potentially vulnerable instances worldwide This creates a massive software supply chain risk, where developers unknowingly inherit insecure defaults while integrating MCP into their applications. Researchers outlined several attack vectors that can be leveraged to exploit the flaw: Unauthenticated UI injection attacks in AI frameworks Zero-click prompt injection in AI IDEs like Windsurf and Cursor Malicious package distribution via marketplace poisoning Security bypass techniques in protected environments, such as Flowise In Flowise specifically, attackers can bypass existing safeguards and execute arbitrary system commands, leading to full system compromise, including access to databases, API keys, and sensitive user data. The vulnerability has already resulted in multiple CVE disclosures across widely used AI tools: GPT Researcher (CVE-2025-65720) Agent Zero (CVE-2026-30624) Fay Framework (CVE-2026-30618) Langchain-Chatchat (CVE-2026-30617) Jaaz (CVE-2026-33224) Additional issues include a zero-click prompt injection flaw in Windsurf (CVE-2026-30615) and an allowlist bypass vulnerability in Upsonic (CVE-2026-30625). Some platforms like LiteLLM and Bisheng have already released patches for related vulnerabilities. Despite over 30 responsible disclosures, Anthropic has stated that the behavior is “expected” and has not made changes to the MCP architecture. This leaves organizations responsible for implementing their own safeguards. Security experts recommend immediate mitigation steps: Restrict public internet access to MCP-enabled services Treat all external MCP inputs as untrusted Install components only from verified sources Run services in isolated sandbox environments Monitor system activity for unusual behavior Disable user input features or upgrade affected tools where possible As AI adoption accelerates, this vulnerability highlights the growing risks within AI supply chains and the need for secure-by-design architectures. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles OpenAI Expands Cyber Defense Program With GPT-5.4-Cyber Access for Trusted Organizations Cyber Security News April 17, 2026 Hackers Exploit TP-Link Router Flaw To Spread Mirai Malware Cyber Security News April 17, 2026 Microsoft Confirms Windows Servers Enter Reboot Loops Following April Patches Cyber Security News April 17, 2026 PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands Cyber Security News April 17, 2026 Google Uses Gemini AI to Stop Malicious Ads, Blocks 8.3 Billion Ads Cyber Security News April 17, 2026 Related Stories Cyber Security News OpenAI Expands Cyber Defense Program With GPT-5.4-Cyber Access for Trusted Organizations AnuPriya - April 17, 2026 Cyber Security News Hackers Exploit TP-Link Router Flaw To Spread Mirai Malware Varshini - April 17, 2026 Cyber Security News Microsoft Confirms Windows Servers Enter Reboot Loops Following April Patches AnuPriya - April 17, 2026 Cyber Security News PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands AnuPriya - April 17, 2026 Cyber Security News Google Uses Gemini AI to Stop Malicious Ads, Blocks 8.3 Billion Ads AnuPriya - April 17, 2026 Cyber Security News Fake Zoom SDK Update Delivers Sapphire Sleet Malware On macOS Varshini - April 17, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: