Exploit Code Published for Critical Flowise RCE Vulnerability

Summary

Obsidian Security released proof-of-concept exploit code for CVE-2026-40933, a critical remote code execution vulnerability in Flowise, an open-source LLM platform with over 52,000 GitHub stars. The vulnerability stems from unsafe serialization in Anthropic's MCP protocol and allows attackers to execute arbitrary code on self-hosted servers by tricking users into importing a malicious chatflow. Flowise versions before 3.1.0 are vulnerable by default; the attack requires only user import of a crafted JSON chatflow to trigger OS-level code execution with Flowise process privileges.

Full text

Obsidian Security has released technical information and proof-of-concept (PoC) code targeting a remote code execution (RCE) vulnerability in Flowise. The issue, tracked as CVE-2026-40933 (CVSS score of 9.9), was disclosed in April along with several other security defects impacting AI ecosystems that rely on Anthropic’s MCP protocol. Flowise, a popular open source platform that provides developers with a drag-and-drop interface for building LLM flows and AI agents, and which has over 52,000 GitHub stars, was flagged as one of the impacted products. According to OX Security, the root cause of the issue is a “by design”, systemic command injection vulnerability in Anthropic MCP, which propagates through the ecosystem. [Learn More: SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay] A NIST advisory describes CVE-2026-40933 as an unsafe serialization of stdio commands in the MCP adapter, allowing an attacker to add an MCP stdio server with an arbitrary command and achieve code execution.Advertisement. Scroll to continue reading. The security weakness existed because Flowise before version 3.1.0 allowed any user to add a new MCP and, when doing so, to add any command, enabling code execution on the underlying OS. According to Obsidian, the bug can be exploited by attackers to take over servers by simply convincing a user to import a crafted chatflow. The import action triggers arbitrary code execution on the server. “Any user who can create or edit chatflows can add a Custom MCP Tool and supply a malicious stdio MCP configuration. In practice, this requires a malicious insider or a compromised user account,” Obsidian notes. A remote attacker, the cybersecurity firm explains, can include a malicious command in a Custom MCP Tool configuration, export the chatflow as JSON, and share it with the victim. The payload abuses Flowise’s legitimate functionality to execute the malicious command during the import process. “Flowise’s Custom MCP node has an ‘Available Actions’ dropdown that lists the tools exposed by the configured MCP server. To populate that dropdown, the canvas asks the backend to enumerate the server’s tools. With stdio transport, enumeration starts the configured command. Because the dropdown loads when the imported chatflow renders on the canvas, the import alone can spawn the command,” Obsidian notes. The cybersecurity firm has published PoC code that, when imported, creates a shell back to Docker’s bridge address for the host. Obsidian says successful exploitation of CVE-2026-40933 leads to “OS-level execution with the Flowise process’s privileges, often root in containerized deployments. Every credential stored in the platform is readable. Every connected service is reachable. Flowise in production is typically wired into databases, APIs, and cloud accounts; the blast radius scales with whatever it connects to.” The cybersecurity firm notes that Flowise Cloud is not affected, because it has stdio MCP disabled. Self-hosted instances are vulnerable by default. Related: Raising the Cybersecurity Stakes: Ante up for the Agentic Era Related: Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks Related: Anthropic Releases New Claude Sandbox, Security Guidance Plugin Related: ‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Geordie Raises $30 Million for AI Security and Governance PlatformCarnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh AttacksGitea Vulnerability Exposed 30,000 Deployments to AttacksGoogle Unveils AI Threat Defense Platform to Fight AI-Powered CyberattacksRevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software BinariesGlassWorm Botnet Disrupted Latest News Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials SayIn Other News: Trump Mobile Data Breach, FIFA World Cup Phishing, CISA Responds to Supply Chain AttacksCharter Communications Data Breach Could Impact Nearly 5 MillionMokN Raises $15 Million for Phish-Back PlatformGogs Zero-Day Exposes Servers to Remote Code ExecutionCalifornia Sues 23andMe, Alleging It Failed to Protect User Data in 2023 BreachChrome 148 Update Patches 151 VulnerabilitiesRussia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveAnurag Jain has been appointed Senior Vice President of Engineering at CodeHunterCTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.Quantum Secure Encryption has named Michael Massing as Chief Technology Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-40933

Entities