Obsidian — Flowise CVE-2026-40933 MCP stdio Supply-Chain RCE

AI relevance: Flowise (52k+ GitHub stars) is a widely-used drag-and-drop platform for building LLM agents and RAG pipelines — a compromised instance hands attackers direct access to every connected database, API, and cloud credential in the AI workflow.

• Obsidian Security published proof-of-concept exploit code for CVE-2026-40933 (CVSS 9.9), a remote code execution vulnerability in Flowise before version 3.1.0.
• The root cause traces back to a systemic command injection flaw in Anthropic's MCP stdio transport, as first flagged by OX Security — stdio commands are unsafely serialized in the MCP adapter.
• Any user who can create or edit chatflows can add a Custom MCP Tool with an arbitrary stdio command, achieving OS-level execution on the Flowise host.
• Attack path: embed a malicious command in a Custom MCP config, export the chatflow as JSON, share it — when the victim imports and the canvas renders, the MCP enumeration step spawns the command automatically.
• The PoC demonstrates a reverse shell back to Docker's bridge address; containerized Flowise deployments typically run as root, so impact is total host takeover.
• Production Flowise instances are wired into databases, APIs, and cloud accounts — blast radius extends to every integrated service.
• This is a supply-chain vector: crafted chatflows can be shared through community templates, GitHub repos, or marketplace listings.

Why it matters

Flowise is one of the most popular open-source AI orchestration platforms. The vulnerability demonstrates how MCP's stdio design — intended for local tool invocation — becomes an RCE primitive when exposed through a multi-user web interface. The chatflow-import attack surface means a single malicious template can compromise any organization that adopts it.

What to do

• Upgrade Flowise to version 3.1.0 or later immediately.
• Audit all imported chatflows for Custom MCP Tool nodes with untrusted stdio commands.
• Restrict who can create or edit chatflows in production instances.
• Run Flowise under a non-root user in containerized deployments.
• Review connected credentials and API keys on any Flowise instance that accepted community templates.

Sources

• SecurityWeek — Exploit Code Published for Critical Flowise RCE Vulnerability
• Obsidian Security — When Is stdio MCP Actually a Vulnerability?
• NVD — CVE-2026-40933
• SecurityWeek — By-Design Flaw in MCP Could Enable Widespread AI Supply-Chain Attacks