CVE-2025-71336
Analyzed Analyzed - Analysis Complete

Remote Code Execution in Flowise AI Platform

Vulnerability report for CVE-2025-71336, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-01
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.0.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Flowise versions before 3.0.6, including 2.2.7-patch.1 and earlier, have a remote code execution vulnerability in the Custom MCP feature. This feature is intended to execute operating system commands, such as launching local MCP servers. However, due to minimal authentication and authorization controls, and the default installation running without authentication unless specific environment variables are set, an attacker can exploit this by sending a specially crafted JSON payload with a specific header to a particular API endpoint. This allows the attacker to execute arbitrary OS commands, potentially leading to full compromise of the platform container or server.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests targeting the /api/v1/node-load-method/customMCP endpoint with the header 'x-request-from: internal'. Such requests may contain crafted JSON payloads attempting to execute arbitrary OS commands.

To detect exploitation attempts, you can use network monitoring or web server logs to filter for requests with the specific endpoint and header.

  • Use curl or similar tools to test if the endpoint is accessible and vulnerable by sending a crafted JSON payload with the 'x-request-from: internal' header.
  • Example curl command to test the vulnerability (replace <host> with your server address):
  • curl -X POST http://<host>/api/v1/node-load-method/customMCP -H 'x-request-from: internal' -H 'Content-Type: application/json' -d '{"command":"touch /tmp/testfile"}'

If the command succeeds and the file /tmp/testfile is created on the server, it indicates the vulnerability is present.

Additionally, monitoring for unexpected file creations or command executions on the server can help detect exploitation.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary operating system commands remotely without any authentication. This can lead to complete compromise of the platform container or server running Flowise, resulting in unauthorized access, data theft, data manipulation, service disruption, or further attacks on connected systems.

Compliance Impact

The vulnerability allows unauthenticated remote code execution leading to full compromise of the platform container or server. Such a compromise can result in unauthorized access, modification, or disclosure of sensitive data.

This level of security failure can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strong access controls, data protection, and incident prevention measures.

Because Flowise lacks role-based access control and runs without authentication by default, it increases the risk of unauthorized data exposure or manipulation, potentially violating regulatory requirements for data confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Flowise installation is updated to version 3.0.6 or later, as versions 2.2.7-patch.1 and earlier are affected.

Additionally, configure authentication by setting FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables to prevent the default installation from running without authentication.

Avoid exposing the /api/v1/node-load-method/customMCP endpoint to untrusted networks, as it can be exploited via crafted JSON payloads with the header 'x-request-from: internal' to execute arbitrary OS commands.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart