Critical Flowise RCE: Exploit Code Released for CVSS 9.9 Vulnerability
Obsidian Security has published proof-of-concept exploit code for CVE-2026-40933, a critical RCE vulnerability in Flowise. The flaw leverages stdio MCP to comp…
Obsidian Security released proof-of-concept (PoC) exploit code on May 30, 2026, for CVE-2026-40933, a remote code execution (RCE) vulnerability carrying a CVSS score of 9.9 in the open-source Flowise platform. The attack vector utilizes community-shared chatflow JSON files: simply rendering the canvas—without requiring the user to save or manually execute the flow—triggers the server to execute arbitrary commands via the stdio MCP (Model Context Protocol) functionality. Self-hosted instances face complete compromise, including credential theft and unauthorized access to connected services.
- Obsidian Security published PoC code for CVE-2026-40933 in Flowise, an LLM orchestration platform with over 52,000 GitHub stars.
- The vulnerability is triggered by importing a malicious chatflow; rendering the canvas initiates MCP tool enumeration via stdio, which executes arbitrary commands without sandboxing.
- Flowise Cloud is not affected as stdio MCP is disabled; however, self-hosted instances are vulnerable by default and often run with root privileges in containerized deployments.
- The official fix introduced in version 3.1.0 is insufficient. Obsidian demonstrated a bypass in version 3.1.2 by replacing the
-yflag with thenpm_config_yes=trueenvironment variable.
How the attack works: Canvas rendering as a trigger
The vulnerability resides in Flowise's Custom MCP Tool feature, which employs stdio transport to execute commands as child processes. When a user imports a chatflow, the canvas interface requests the backend to enumerate tools exposed by the configured MCP server. Under stdio transport, this enumeration process directly executes the configured command.
The critical mechanism documented by Obsidian Security is that the loading dropdown activates upon canvas rendering, requiring no explicit save or execution: "the import alone can spawn the command." Insecure serialization of stdio commands within the MCP adapter allows an authenticated attacker to inject stdio MCP servers containing arbitrary commands.
The published PoC generates a reverse shell to the Docker bridge address, demonstrating system-level execution with the privileges of the Flowise process. According to Obsidian's research, these privileges are frequently root in containerized deployments.
"OS-level execution with the Flowise process's privileges, often root in containerized deployments. Every credential stored in the platform is readable. Every connected service is reachable" — Obsidian Security
Partial fixes and the demonstrated bypass
Flowise released a fix in version 3.1.0, as documented in the National Vulnerability Database (NVD) record for CVE-2026-40933, which lists versions prior to that release as affected. The fix relied on input validation and a command allowlist.
However, Obsidian Security proved this approach is inadequate. While testing version 3.1.2, researchers bypassed the flag-based validation by substituting -y with the npm_config_yes=true environment variable—a semantically equivalent command that evaded the implemented checks. Obsidian stated: "The current input-validation based fix is easy to circumvent, so the latest version remains affected."
The dossier does not specify whether Flowise has since released a definitive fix for this bypass. The exact date of the initial disclosure in April 2026 is not precisely documented.
Why stdio MCP is an execution primitive treated as configuration
The architecture of this vulnerability highlights a systemic pattern in AI orchestration platforms: the stdio MCP feature, designed for local access to tools and services, treats user input as trusted configuration for a code execution primitive. The absence of sandboxing ensures that in multi-user deployments, importing a community-shared artifact becomes a vector for full server compromise.
The issue is not merely an isolated implementation bug but a discrepancy between the design's threat model and actual deployment practices. Flowise Cloud, which disables stdio MCP, remains unaffected; conversely, self-hosted instances leave it enabled by default. This standard configuration, combined with Flowise’s integration with databases, APIs, and cloud accounts, significantly amplifies the impact: "blast radius scales with whatever it connects to," according to Obsidian.
Mitigation strategies
Operators of self-hosted Flowise instances should prioritize the following actions:
- Verify the installed version: While the NVD record indicates versions prior to 3.1.0 are affected, the bypass demonstrated in 3.1.2 necessitates caution for all releases until a definitive vendor-documented fix is available.
- Reassess the necessity of stdio MCP: In multi-user environments, disabling this feature eliminates the attack vector, mirroring the secure configuration of Flowise Cloud.
- Isolate the Flowise instance: Run the platform within a least-privilege execution context, strictly avoiding root execution in containers or on the host.
- Audit imported chatflows: Limit imports from unverified sources, as the mere rendering of the JSON file triggers execution.
Context: Flowise as a recurring target
CVE-2026-40933 is not the only recent vulnerability targeting the platform. Contextual sources document CVE-2025-59528, which has confirmed active exploitation and an estimated 12,000 to 15,000 exposed instances according to TheCyberExpress. However, that vulnerability involves a different vector—JavaScript injection in the CustomMCP node—and should not be confused with the stdio MCP flaw in CVE-2026-40933.
At the time of publication, active in-the-wild exploitation of CVE-2026-40933 has not been confirmed. However, the release of the PoC drastically lowers the barrier to entry, turning a technically complex vulnerability into a mass-exploitation tool for actors capable of crafting malicious JSON.
Obsidian Security’s research is published at obsidiansecurity.com under the title "When is stdio MCP actually a vulnerability." The title encapsulates the central dilemma: when a design feature functions as a systemic vulnerability, the solution is not iterative patching but a fundamental recalibration of the threat model.
Sources
- https://www.securityweek.com/exploit-code-published-for-critical-flowise-rce-vulnerability/
- https://unit42.paloaltonetworks.com/fifa-world-cup-attack-surface/
- https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/
- https://unit42.paloaltonetworks.com/autonomous-ai-cloud-attacks/
- https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
- https://securityaffairs.com/190471/security/attackers-exploit-critical-flowise-flaw-cve-2025-59528-for-remote-code-execution.html
- https://thecyberexpress.com/flowise-rce-vulnerability-cve-2025-59528/
- https://nvd.nist.gov/vuln/detail/CVE-2026-40933
- https://github.com/advisories/GHSA-2vv2-3x8x-4gv7
- https://github.com/advisories/GHSA-69jq-qr7w-j7qh
- https://www.obsidiansecurity.com/blog/when-is-stdio-mcp-actually-a-vulnerability
- https://thecyberexpress.com/cert-in-12-hour-patching-ai-llm-cyber-threats/