{"id":16302,"date":"2026-06-01T12:02:00","date_gmt":"2026-06-01T12:02:00","guid":{"rendered":"https:\/\/newestek.com\/?p=16302"},"modified":"2026-06-01T12:02:00","modified_gmt":"2026-06-01T12:02:00","slug":"flowises-mcp-implementation-can-run-ghost-commands","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16302","title":{"rendered":"Flowise\u2019s MCP implementation can run ghost commands"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Enterprises using the lightweight, open-source Flowise platform to power self-hosted AI workloads have a new near-max severity issue to worry about.<\/p>\n<p>Researchers at Obsidian Security have detailed a one-click remote code execution (RCE) vulnerability affecting self-hosted Flowise deployments through its implementation of Model Context Protocol (<a href=\"https:\/\/www.csoonline.com\/article\/4031749\/mcp-security-securing-the-backbone-of-agentic-ai.html\" target=\"_blank\">MCP<\/a>) stdio servers.<\/p>\n<p>The problem is essentially a sandboxing failure of attacker-controlled MCP configurations, leading to server-side code execution.<\/p>\n<p>\u201cPost-auth RCE in Flowise can be triggered with a single click via a malicious chatflow import before any save or run,\u201d the researchers said in a blog <a href=\"https:\/\/www.obsidiansecurity.com\/blog\/when-is-stdio-mcp-actually-a-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>. \u201cThe official patch relies on input validation that is trivially bypassed and fails to address the root cause.\u201d<\/p>\n<p>Flowise is commonly used to develop internal AI assistants, retrieval-augmented generation (<a href=\"https:\/\/www.csoonline.com\/article\/4163888\/securing-rag-pipelines-in-enterprise-saas.html\">RAG<\/a>) applications, customer-facing chatbots, and autonomous agents connected to business systems.<\/p>\n<p>The flaw does not affect Flowise Cloud, as stdio MCP is disabled there. For the rest, where the feature is enabled and is absolutely necessary, there is a security and functionality tradeoff developers need to understand and actively review server configurations for possible threats, the researchers explained.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Once-click RCE affects everything Flowise can reach<\/h2>\n<p>The vulnerability, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-40933\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2026-40933<\/a>, affects Flowise\u2019s implementation of MCP stdio servers. MCP\u2019s stdio is designed to launch local server processes and communicate with them through standard input and output streams, allowing AI agents to interact with files, Git repositories, databases, browsers, and local credentials.<\/p>\n<p>According to Obsidian Security, the issue stems from Flowise allowing users to configure MCP stdio servers containing arbitrary commands. Because those commands are ultimately executed by the underlying operating system, an attacker can achieve remote code execution with the privileges of the Flowise process.<\/p>\n<p>In containerized deployments, the researchers noted, this can effectively provide root-level access to the environment hosting the platform.<\/p>\n<p>The flaw has been assigned a 9.9 CVSS rating, with a successful compromise potentially exposing API keys, databases, cloud resources, SaaS applications, and other assets accessible through Flowise.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Researchers said the fixes fall short<\/h2>\n<p>The disclosure details a series of remediation efforts by Flowise aimed at restricting how MCP stdio commands can be configured and executed. According to Obsidian, however, each iteration relied primarily on command validation and filtering mechanisms that can be bypassed under certain conditions.<\/p>\n<p>\u201cFlowise appeared to acknowledge the risk and hardened Custom MCP over several rounds,\u201d the researchers noted. \u201c<a href=\"https:\/\/github.com\/FlowiseAI\/Flowise\/pull\/5232\">#5232<\/a> introduced CUSTOM_MCP_SECURITY_CHECK, a default-enabled validation layer for Custom MCP configurations.\u201d While the checks reduced obvious command execution paths, they did little to change the underlying threat of allowing users to supply stdio MCP configurations, they said.<\/p>\n<p>Obsidian\u2019s reporting of the flaw triggered further hardening of the feature with flag validation in updates <a href=\"https:\/\/github.com\/FlowiseAI\/Flowise\/pull\/5741\" target=\"_blank\" rel=\"noreferrer noopener\">#5741 <\/a>and <a href=\"https:\/\/github.com\/FlowiseAI\/Flowise\/pull\/5943\" target=\"_blank\" rel=\"noreferrer noopener\">#5943<\/a>. These, too, did not entirely remove the threat.<\/p>\n<p>When requested to treat stdio MCP as unsafe by default and require explicit opt-in, Flowise reportedly said they wanted to \u201climit what we know is bad without completely disabling features that users may rely on.\u201d Obsidian shared a proof of concept (POC) exploit code on how the current protections by Flowise could still be bypassed for successful RCE.<\/p>\n<p>\u00a0The only complete mitigation recommended by the researchers is turning off MCP stdio by setting \u201cCUSTOM_MCP_PROTOCOL=sse\u201d. For those who can\u2019t, without obstructing operations, pinning trusted packages where possible, and reviewing imported chatflows from untrusted sources might help, the researchers added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Enterprises using the lightweight, open-source Flowise platform to power self-hosted AI workloads have a new near-max severity issue to worry about. Researchers at Obsidian Security have detailed a one-click remote code execution (RCE) vulnerability affecting self-hosted Flowise deployments through its implementation of Model Context Protocol (MCP) stdio servers. The problem is essentially a sandboxing failure of attacker-controlled MCP configurations, leading to server-side code execution. \u201cPost-auth&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16302\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16302","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16302"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16302\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}