Flowise One-Click RCE — Import a Chatflow, Lose Your Server

A single chatflow import can compromise an entire Flowise server. Obsidian Security discovered CVE-2026-40933, a critical vulnerability in the popular AI agent building platform that scores CVSS 9.9 and requires no additional user interaction beyond importing a malicious file.

Flowise, an open-source platform with over 52,000 GitHub stars, lets developers build LLM workflows and AI agents through a visual interface. The vulnerability affects self-hosted instances running versions before 3.1.0.

The Import-Time Execution Flaw

The vulnerability lives in Flowise's Custom MCP tool support, which allows users to define Model Context Protocol server configurations using the stdio transport. When a chatflow containing an MCP configuration is imported, Flowise launches the configured command as a child process on the server—without sandboxing, validation, or user confirmation.

A malicious chatflow embeds an attacker-controlled MCP configuration. The moment an authorized user imports the file and the chatflow renders on the canvas, arbitrary server-side code executes. No additional clicks, no extra prompts. Import alone triggers the payload.

This follows a pattern we covered earlier this year with CVE-2025-59528, where Flowise's CustomMCP node used JavaScript's Function() constructor for code injection. The platform continues to struggle with safely handling user-supplied configurations.

Attack Scenarios

The attack requires social engineering an authorized user into importing a crafted chatflow. This could happen through community sharing platforms, Discord servers, GitHub repositories, or direct distribution to targets. Flowise's community actively shares chatflow templates, making the social engineering component straightforward.

Once executed, attackers gain OS-level access with the Flowise process's privileges—often root in containerized deployments. They can access stored credentials, API keys, and any connected services. For organizations using Flowise to build AI agents that interact with production systems, compromise of the Flowise server means compromise of everything it touches.

The npm supply chain attacks we've tracked show how developer-focused tools are increasingly targeted. Flowise sits at an interesting intersection: it's a developer tool that also handles sensitive AI credentials and often has access to production infrastructure.

Who's Affected

Self-hosted Flowise instances running versions before 3.1.0 are vulnerable by default. Flowise Cloud deployments are protected—stdio MCP is disabled in the hosted environment.

The vulnerable configuration is the default. Organizations running self-hosted Flowise don't need to have misconfigured anything to be at risk. They just need to import an untrusted chatflow.

Mitigation

Upgrade to Flowise version 3.1.0 or later. The fix adds flag validation to block risky options like -y, -c, --yes, and --eval when used with allowlisted commands.

For organizations that cannot upgrade immediately, restrict who can import chatflows and establish strict vetting procedures for any externally-sourced configurations. Treat chatflow files with the same suspicion you'd apply to executable code—because functionally, they are.

If you must run older versions, consider network isolation to limit blast radius. A compromised Flowise server shouldn't have direct access to production databases or cloud management APIs.

Why This Matters

AI development platforms are becoming critical infrastructure for organizations building generative AI applications. Flowise and similar tools often hold credentials for OpenAI, Anthropic, cloud providers, and internal APIs. Compromise of these platforms gives attackers a central point from which to pivot.

The MCP protocol specifically is designed to give AI agents capabilities—file access, code execution, API calls. When the configuration mechanism for those capabilities lacks proper sandboxing, the protocol's power becomes a liability.

Security teams evaluating AI development tools should pay attention to how they handle user-supplied configurations. The question isn't whether the tool is useful—it's whether importing a template from the internet can compromise your infrastructure.

For more on protecting AI development environments, see our malware defense guide covering the types of threats targeting developer workflows.