Obsidian Security has published detailed insights and proof-of-concept (PoC) code for a serious remote code execution (RCE) vulnerability in the Flowise platform. This vulnerability, identified as CVE-2026-40933 and rated with a CVSS score of 9.9, was initially reported in April, alongside other security issues affecting AI ecosystems utilizing Anthropic’s MCP protocol.
Understanding the Flowise Vulnerability
Flowise, a widely-used open-source platform facilitating the creation of LLM flows and AI agents through a drag-and-drop interface, has garnered over 52,000 stars on GitHub. It has been identified as one of the systems susceptible to this vulnerability. According to OX Security, the vulnerability stems from a systemic command injection flaw within the Anthropic MCP, which compromises the entire ecosystem.
Technical Details and Exploitation
The National Institute of Standards and Technology (NIST) advisory explains that CVE-2026-40933 arises from unsafe serialization of stdio commands in the MCP adapter. This design flaw allows attackers to introduce an MCP stdio server with arbitrary commands, leading to code execution. Flowise versions preceding 3.1.0 permitted any user to add new MCP commands, paving the way for potential exploitation.
Obsidian highlights that attackers could exploit this vulnerability by persuading users to import a tailored chatflow, initiating arbitrary code execution on the server. This exploit requires either a malicious insider or a compromised user account to add a Custom MCP Tool with a harmful stdio MCP configuration.
Impact and Mitigation
A remote attacker could embed a harmful command within a Custom MCP Tool configuration, export it as JSON, and share it with the target. The import action, leveraging Flowise’s legitimate features, facilitates the execution of the malicious command. Obsidian’s PoC code demonstrates how this could establish a shell back to Docker’s bridge address.
Successful exploitation results in OS-level execution with the Flowise process’s privileges, potentially root in containerized environments. This exposes all credentials and connected services, significantly expanding the potential damage. However, Flowise Cloud remains unaffected due to disabled stdio MCP by default, whereas self-hosted versions are inherently vulnerable.
This revelation underscores the critical need for robust security practices in AI development environments, emphasizing the importance of timely updates and vigilant security configurations.
