CVE-2026-40933: Flowise Critical RCE, Exploit Code Now Public

CVE-2026-40933 is a critical authenticated remote code execution (RCE — the ability for an attacker to run arbitrary commands on a server they do not own) vulnerability in Flowise, the widely deployed open-source drag-and-drop platform for building large language model (LLM — AI systems such as GPT-4 and Claude) workflows and chatbots. Affecting all Flowise releases before version 3.1.0, the flaw carries a CVSS v3.1 score of 9.9 — rated Critical and the highest severity achievable before a perfect 10 — meaning it is remotely exploitable by any authenticated user with no additional prerequisites. Obsidian Security has published a working proof-of-concept (PoC — functional exploit code that demonstrates the vulnerability) that achieves root-level code execution in a single chatflow import action; all self-hosted Flowise operators must upgrade to version 3.1.0 immediately.

// 01 CVE-2026-40933: Technical Details

CVE-2026-40933 resides in Flowise's handling of the Model Context Protocol (MCP — an open standard that allows AI systems to connect to external tools, databases, and APIs) stdio transport layer. When Flowise launches an MCP server using stdio (Standard Input/Output — a communication channel for exchanging data between processes via the keyboard/screen streams), it executes a system process to manage communication. Before running the command, Flowise applies two validation functions — validateCommandInjection and validateArgsForLocalFileAccess — and checks the command against a predefined allowlist of "safe" executables.

The allowlist fatally includes npx (Node Package eXecutor — the Node.js runtime's package runner, used to execute scripts from the npm registry). As Obsidian Security's researchers discovered, npx accepts a -c flag that passes its argument directly to the underlying system shell for execution. The validation layer examines only the first token of the command — the allowlisted npx binary — and never inspects what -c hands to the shell. An attacker who controls the MCP server configuration can therefore append -c 'any-shell-command-here' and achieve arbitrary OS command execution.

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H decodes as:

• AV:N — Attack Vector: Network. The flaw is exploitable entirely over a network connection, no local access required.
• AC:L — Attack Complexity: Low. No race conditions, special configurations, or reconnaissance steps are required.
• PR:L — Privileges Required: Low. Any authenticated Flowise account — regardless of role — can trigger the exploit.
• UI:N — User Interaction: None. The importing user need not take any additional action beyond opening the malicious chatflow.
• S:C — Scope: Changed. Execution escapes the Flowise application boundary and reaches the underlying host operating system.
• C:H / I:H / A:H — Confidentiality, Integrity, Availability all rated High: the attacker gains full OS-level access, including all stored data.

%% CVE-2026-40933 Flowise one-click RCE via malicious chatflow import
sequenceDiagram
  autonumber
  participant A as <b>Attacker</b><br/>Any authenticated Flowise user<br/>Shares malicious chatflow JSON
  participant F as <b>Flowise Server</b><br/>Pre-3.1.0, self-hosted<br/>Often Docker-containerized
  participant M as <b>MCP Adapter</b><br/>stdio transport layer<br/>Unsafe npx command serialization
  participant O as <b>Host OS</b><br/>Flowise process context<br/>Typically root in containers

  A->>F: Imports malicious chatflow JSON<br/>containing rogue MCP stdio server config
  F->>F: Canvas renders chatflow<br/>auto-enumerates MCP server tools
  F->>M: Spawns stdio transport process<br/>serializes allowlisted npx command + attacker args
  Note over M: Validation bypass: npx is allowlisted;<br/>attacker appends -c with arbitrary shell payload
  M->>O: Executes OS command as Flowise<br/>process user — root in most Docker deploys
  O-->>A: Reverse shell to attacker via<br/>Docker bridge (172.17.0.1)
  Note over O: Full access: API keys, LLM tokens,<br/>database credentials, all connected tool secrets

// 02 Exploitation Status and Threat Landscape

Obsidian Security published a PoC exploit alongside its disclosure. The PoC is packaged as a standard Flowise chatflow JSON file that, when imported, creates a reverse shell (a network connection that gives the attacker an interactive terminal session on the victim server) back to the Docker bridge host address (172.17.0.1 — the container host's IP, reachable from within any Docker container), achieving OS-level command execution with Flowise process privileges — typically root in containerized deployments.

The attack's trigger is automatic: Flowise's canvas begins enumerating MCP server tools the moment a chatflow is rendered, requiring no additional user action beyond opening the file. This makes CVE-2026-40933 exploitable as a one-click supply chain attack — anyone who shares or publishes chatflows (a legitimate and common Flowise use case) can compromise any downstream importer.

There is no confirmed active exploitation of CVE-2026-40933 in production environments at time of publication. However, a related Flowise flaw — CVE-2025-59528 (a separate MCP node RCE) — was actively exploited beginning April 2026, with VulnCheck detecting first-time exploitation within hours of disclosure against approximately 12,000–15,000 publicly reachable Flowise instances. The publication of a ready-to-use PoC for CVE-2026-40933 raises exploitation risk substantially.

CVE-2026-40933 has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog — a list confirming active exploitation in the wild — as of this writing.

// 03 Who Is Affected

All self-hosted Flowise deployments running any version before 3.1.0 are vulnerable by default. Flowise Cloud (the vendor-managed SaaS offering) is not affected; the vendor disabled stdio MCP transport in its cloud infrastructure prior to this disclosure.

The vulnerability is exploitable by any authenticated Flowise user with the ability to create or share chatflows. In typical Flowise deployments, this includes:

• All registered users in multi-user instances
• Any attacker who obtains valid credentials via phishing, credential stuffing, or a brute-force attack against the Flowise login
• Recipients of externally shared chatflow JSON files, including those distributed via GitHub, community forums, or AI workflow marketplaces

Flowise is popular among AI developers, enterprises building internal knowledge-base chatbots, and startups deploying RAG (Retrieval-Augmented Generation — a technique that combines document retrieval with LLM generation to produce grounded answers) pipelines. Many production deployments run in Docker containers as root, maximizing the blast radius of a successful exploit.

// 04 What You Should Do Right Now

• Upgrade to Flowise 3.1.0 immediately. The patched version is available on the Flowise GitHub repository. If running via Docker, pull the updated image: docker pull flowiseai/flowise:latest. If running via npm, execute npm install -g flowise@latest.
• Audit externally sourced chatflows. Inspect any chatflow JSON received from external sources for MCP adapter configurations with unexpected command or args fields. In Flowise, navigate to Chatflows → Settings and remove any MCP adapter entries you did not configure.
• Run Flowise as a non-root user. Even within Docker, use --user 1000:1000 or a user: directive in Docker Compose to limit exploit impact. A non-root process means a successful exploit cannot write to system paths.
• Restrict network exposure. If Flowise is not intended to be internet-facing, bind it to 127.0.0.1 and place it behind an authenticated reverse proxy. Remove public access immediately if you cannot patch today.
• Enforce authentication. Flowise supports login via FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. Confirm authentication is required — unauthenticated instances eliminate the low-privilege requirement and allow exploitation by anyone who can reach the server.
• Monitor for anomalous outbound connections. Watch for unexpected outbound TCP sessions from the Flowise container, particularly short-lived connections to external IP addresses shortly after chatflow import events.

// 05 Background: Understanding the Risk

Flowise is among the most widely deployed open-source LLM orchestration platforms, with its GitHub repository exceeding 40,000 stars and hundreds of thousands of downloads. Its visual, no-code interface has made it a default starting point for AI prototyping and production deployments across engineering teams that do not have dedicated ML infrastructure expertise.

The Model Context Protocol (MCP), introduced in late 2024, added a significant new attack surface to platforms like Flowise. MCP allows LLM applications to invoke external tools — code executors, file systems, REST APIs, databases — through a standardized interface. The stdio transport variant, designed for local tool execution, carries inherent risk when exposed to user-supplied configuration: the boundary between "invoke a trusted tool" and "execute an arbitrary shell command" collapses when the invocation mechanism is a flexible runtime like npx that accepts shell pass-through flags.

This is not Flowise's first serious vulnerability. CVE-2024-31621 was an authentication bypass in earlier versions; CVE-2025-59528 and CVE-2025-8943 both demonstrated active exploitation in 2026. The pattern of back-to-back critical flaws reflects the challenge of securing rapidly evolving AI developer tooling: feature velocity outpaces security review, and each new protocol integration — MCP being the most recent — introduces a fresh class of risk that existing validation logic does not anticipate.

Enterprises running Flowise for production AI workflows should treat it with the same security posture as any code-execution server: isolated network zone, non-root process user, authenticated access with strong credentials, and no public internet exposure without a WAF or reverse proxy in front.

// 06 Conclusion

CVE-2026-40933 is a straightforward upgrade decision: Flowise 3.1.0 closes the vulnerability, the PoC is public, and self-hosted instances running older versions are one chatflow import away from a root shell. Upgrade now, audit imported chatflows for rogue MCP configurations, and ensure Flowise is not running as root in your container environment before CVE-2026-40933 joins its predecessor on active exploitation lists.