Exploit Code Published for Critical Flowise RCE Vulnerability

Flowise has become a go‑to open‑source framework for building LLM pipelines, boasting more than 52,000 stars on GitHub and a growing ecosystem of plugins. Its drag‑and‑drop interface relies heavily on Anthropic’s MCP (Message Control Protocol) to communicate with external tools. The recent disclosure of CVE‑2026‑40933 reveals a systemic flaw in the way MCP serializes stdio commands, turning a benign configuration step into a gateway for arbitrary code execution. This vulnerability underscores how tightly coupled AI orchestration platforms and underlying protocol implementations can inherit deep‑seated security risks.

The technical root cause is an unsafe deserialization of stdio commands in the MCP adapter. When a user adds a custom MCP tool, Flowise stores the command string and later executes it to enumerate available actions. An attacker can craft a malicious chatflow JSON that injects a command, export it, and convince a victim to import the flow. During import, the backend automatically runs the command to populate the dropdown, granting the attacker OS‑level execution—often as root in containerized deployments. Because the exploit requires only import privileges, insider threats or compromised accounts become potent vectors.

Mitigation is straightforward: upgrade to Flowise version 3.1.0 or later, where the MCP addition is restricted and stdio execution is disabled by default. Organizations running self‑hosted instances should audit user permissions, enforce least‑privilege access, and monitor for unexpected command invocations. While Flowise Cloud remains unaffected due to its hardened configuration, the incident serves as a reminder that supply‑chain‑style bugs can propagate through widely adopted AI tooling. Vendors and developers must prioritize secure serialization practices to protect the expanding attack surface of generative‑AI infrastructure.