Flowise, an open-source platform for building AI chatflows, suffers from a critical RCE vulnerability (CVE-2026-40933) due to unsafe serialization and execution of stdio commands in its MCP adapter. Before version 3.1.0, any user able to create or edit chatflows can add a malicious Custom MCP Tool with arbitrary commands. When a crafted chatflow JSON is imported, the malicious command executes automatically on the server, leveraging Flowise’s legitimate functionality to spawn OS-level processes. This vulnerability arises from a 'by design' command injection flaw in Anthropic’s MCP protocol, which Flowise uses. Successful exploitation can compromise the entire server and connected infrastructure. Flowise Cloud is unaffected as it disables stdio MCP. No patch or official fix details are provided in the available data.

Successful exploitation results in arbitrary code execution on the underlying operating system with the privileges of the Flowise process, often root in containerized deployments. This allows attackers to read all credentials stored in the platform and access every connected service, including databases, APIs, and cloud accounts, significantly increasing the potential blast radius. The vulnerability can be triggered remotely by convincing a user to import a malicious chatflow, enabling attackers to take full control of self-hosted Flowise servers. Flowise Cloud instances are not impacted. No evidence of active exploitation in the wild has been reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should avoid importing chatflows from untrusted sources and restrict the ability to create or edit chatflows to trusted users only. Consider disabling or restricting the use of Custom MCP Tools if possible. Monitor vendor channels for updates and apply patches promptly once released. Note that Flowise Cloud instances are not vulnerable due to disabled stdio MCP.