Exploit Code Published for Critical Flowise RCE Vulnerability
Security WeekArchived May 30, 2026✓ Full text saved
The one-click vulnerability allows attackers to execute arbitrary code on self-hosted Flowise servers by tricking users into importing a malicious chatflow. The post Exploit Code Published for Critical Flowise RCE Vulnerability appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Obsidian Security has released technical information and proof-of-concept (PoC) code targeting a remote code execution (RCE) vulnerability in Flowise.
The issue, tracked as CVE-2026-40933 (CVSS score of 9.9), was disclosed in April along with several other security defects impacting AI ecosystems that rely on Anthropic’s MCP protocol.
Flowise, a popular open source platform that provides developers with a drag-and-drop interface for building LLM flows and AI agents, and which has over 52,000 GitHub stars, was flagged as one of the impacted products.
According to OX Security, the root cause of the issue is a “by design”, systemic command injection vulnerability in Anthropic MCP, which propagates through the ecosystem.
[Learn More: SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay]
A NIST advisory describes CVE-2026-40933 as an unsafe serialization of stdio commands in the MCP adapter, allowing an attacker to add an MCP stdio server with an arbitrary command and achieve code execution.
The security weakness existed because Flowise before version 3.1.0 allowed any user to add a new MCP and, when doing so, to add any command, enabling code execution on the underlying OS.
According to Obsidian, the bug can be exploited by attackers to take over servers by simply convincing a user to import a crafted chatflow. The import action triggers arbitrary code execution on the server.
“Any user who can create or edit chatflows can add a Custom MCP Tool and supply a malicious stdio MCP configuration. In practice, this requires a malicious insider or a compromised user account,” Obsidian notes.
A remote attacker, the cybersecurity firm explains, can include a malicious command in a Custom MCP Tool configuration, export the chatflow as JSON, and share it with the victim. The payload abuses Flowise’s legitimate functionality to execute the malicious command during the import process.
“Flowise’s Custom MCP node has an ‘Available Actions’ dropdown that lists the tools exposed by the configured MCP server. To populate that dropdown, the canvas asks the backend to enumerate the server’s tools. With stdio transport, enumeration starts the configured command. Because the dropdown loads when the imported chatflow renders on the canvas, the import alone can spawn the command,” Obsidian notes.
The cybersecurity firm has published PoC code that, when imported, creates a shell back to Docker’s bridge address for the host.
Obsidian says successful exploitation of CVE-2026-40933 leads to “OS-level execution with the Flowise process’s privileges, often root in containerized deployments. Every credential stored in the platform is readable. Every connected service is reachable. Flowise in production is typically wired into databases, APIs, and cloud accounts; the blast radius scales with whatever it connects to.”
The cybersecurity firm notes that Flowise Cloud is not affected, because it has stdio MCP disabled. Self-hosted instances are vulnerable by default.
Related: Raising the Cybersecurity Stakes: Ante up for the Agentic Era
Related: Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks
Related: Anthropic Releases New Claude Sandbox, Security Guidance Plugin
Related: ‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Geordie Raises $30 Million for AI Security and Governance Platform
Carnival Data Breach Exposed 6 Million People
New BTMOB Android Malware Enables Full Device Takeover
Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks
Gitea Vulnerability Exposed 30,000 Deployments to Attacks
Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks
RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software Binaries
GlassWorm Botnet Disrupted
Latest News
Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say
In Other News: Trump Mobile Data Breach, FIFA World Cup Phishing, CISA Responds to Supply Chain Attacks
Charter Communications Data Breach Could Impact Nearly 5 Million
MokN Raises $15 Million for Phish-Back Platform
Gogs Zero-Day Exposes Servers to Remote Code Execution
California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach
Chrome 148 Update Patches 151 Vulnerabilities
Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks
Trending
Virtual Event: Threat Detection And Incident Response Summit
On-Demand
Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.
Register
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
People on the Move
Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter
CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.
Quantum Secure Encryption has named Michael Massing as Chief Technology Officer.
More People On The Move
Expert Insights
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Is The SOC Obsolete, And We Just Haven’t Admitted It Yet?
Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au)
Flipboard
Reddit
Whatsapp
Email