CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

Critical Flowise Flaw Gives Attackers Full Server Control

Infosecurity Magazine Archived Jun 01, 2026 ✓ Full text saved

Obsidian publishes PoC for a 1-click Flowise RCE that can fully compromise self-hosted servers

Full text archived locally
✦ AI Summary · Claude Sonnet


    A critical flaw in the open-source AI platform Flowise has been disclosed, along with working proof-of-concept (PoC) code, allowing an attacker to take over a server when a logged-in user simply imports a malicious workflow file. According to new analysis from Obsidian Security, the bug, tracked as CVE-2026-40933, affects Flowise, a widely used platform for building large language model (LLM) workflows and AI agents with more than 52,000 GitHub stars. Self-hosted deployments are vulnerable by default, while the managed Flowise Cloud service is not affected. The finding builds on the firm's earlier research into a similar remote code execution (RCE) flaw in Langflow, another open-source AI platform. Obsidian released a PoC exploit with its disclosure and warned that the official fix can be circumvented, leaving the latest release exposed. Custom MCP Tool Spawns Server Commands The weakness lies in Flowise's Custom MCP tool, a feature that lets users wire external services into the Model Context Protocol (MCP). When set to the stdio transport, the tool launches a user-supplied command as a child process on the Flowise server, with no sandbox around it. Because Flowise lets users export and share these workflows, known as chatflows, an attacker can hide a malicious command inside one. Obsidian found that merely importing such a chatflow is enough to run the command, since the editor automatically queries the configured server as the workflow loads onto the canvas. No save, run or approval step is needed before the code executes. A Patch That Can Be Bypassed Flowise answered the disclosure with an input-validation layer that allow lists permitted commands and blocks risky arguments. However, Obsidian said this treats the symptom rather than the cause, because the feature is built to execute code and an attacker can still express malicious behavior inside the allowed input. Read more on RCE flaws in AI agent platforms: Hackers Exploit Critical Langflow Bug in Just 20 Hours The upshot is that self-hosted installations, both open-source and enterprise, stay vulnerable by default even on the current version. Obsidian argued that stdio MCP should be switched off unless it is explicitly needed, rather than left running behind validation checks that can be worked around. The most effective protection is to disable the stdio transport by switching Flowise's Custom MCP protocol to Server-Sent Events (SSE), which removes the execution path entirely.  Teams that rely on the feature were urged to treat any imported MCP configuration as code, restrict it to trusted sources and avoid loading shared chatflows from unknown origins.
    💬 Team Notes
    Article Info
    Source
    Infosecurity Magazine
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗