CVE-2026-40933
Command Injection in Flowise MCP Adapter Allows Remote Code Execution
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flowiseai | flowise | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Flowise versions prior to 3.1.0, which is a drag & drop user interface for building customized large language model flows. The issue arises from unsafe serialization of stdio commands in the MCP adapter. An authenticated attacker can add a malicious MCP stdio server with an arbitrary command, leading to command execution on the underlying operating system.
The root cause is a bug in input sanitization in the βCustom MCPβ configuration accessible at http://localhost:3000/canvas. Although there are input sanitization checks like validateCommandInjection and validateArgsForLocalFileAccess, and a predefined list of safe commands, attackers can bypass these by combining allowed commands (e.g., "npx") with arguments that enable code execution (e.g., "-c touch /tmp/pwn"). This allows direct execution of arbitrary commands.
This vulnerability was fixed in version 3.1.0 of Flowise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an authenticated attacker to execute arbitrary commands on the underlying operating system where Flowise is running.
- Complete compromise of the affected system due to arbitrary code execution.
- Potential unauthorized access to sensitive data or system resources.
- Disruption of service or availability through malicious commands.
- Escalation of privileges or lateral movement within the network if the attacker leverages this access.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Flowise version 3.1.0. To mitigate this vulnerability, you should upgrade your Flowise installation to version 3.1.0 or later.
Additionally, restrict authenticated users from adding new MCP stdio servers with arbitrary commands until the upgrade is applied, as the vulnerability arises from unsafe serialization and insufficient input sanitization in the "Custom MCP" configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40933 enables authenticated attackers to execute arbitrary commands on affected systems, potentially leading to full compromise of confidentiality, integrity, and availability of sensitive data.
Such a compromise can result in unauthorized access to sensitive user data, internal databases, API keys, and chat histories, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Organizations using vulnerable MCP implementations without proper mitigation risk non-compliance with these standards due to potential data breaches and insufficient controls over system integrity and access.
Mitigation recommendations include restricting public IP access, treating all external MCP inputs as untrusted, sandboxing MCP services, monitoring for suspicious activity, and upgrading to patched versions to help maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-40933 involves monitoring for unsafe STDIO-based MCP configurations and suspicious command executions related to the Custom MCP interface in Flowise prior to version 3.1.0.
Since the vulnerability allows an authenticated attacker to inject arbitrary commands via the Custom MCP configuration at http://localhost:3000/canvas, detection can focus on identifying unusual MCP configurations or unexpected command executions on the system.
Suggested detection commands include checking for the presence of files or artifacts created by injected commands, such as the example 'touch /tmp/pwn' used in the proof of concept.
- Check for suspicious files created by command injection, e.g., run: ls -l /tmp/pwn
- Monitor running processes for unexpected commands related to MCP stdio servers, e.g., ps aux | grep 'npx -c touch /tmp/pwn'
- Audit the Custom MCP configurations in Flowise by reviewing the configuration files or database entries for unexpected or unauthorized commands.
- Use network monitoring tools to detect unusual traffic patterns or connections to the MCP stdio servers, especially on localhost ports like 3000.
Additionally, employing security tools that detect unsafe MCP stdio configurations or flag risky patterns where user input flows directly into MCP commands can help identify exploitation attempts.