CVE-2026-40933 — Flowise MCP stdio RCE: 1-Click Server Takeover via Malicious Workflow

What Happened

• Obsidian Security disclosed CVE-2026-40933, a critical remote code execution flaw in Flowise, a popular open-source platform for building LLM workflows and AI agents with over 52,000 GitHub stars.
• The vulnerability lies in Flowise's Custom MCP tool when configured with the stdio transport: it launches a user-supplied command as a child process on the Flowise server with no sandbox.
• An attacker hides a malicious command inside a shared workflow file (chatflow). When a logged-in user imports the chatflow, the editor automatically queries the configured MCP server as the workflow loads — executing the command immediately. No save, run, or approval step is needed.
• Flowise responded with an input-validation allowlist, but Obsidian warned the fix treats the symptom rather than the cause: the feature is built to execute code, and attackers can still express malicious behavior inside allowed input.
• Self-hosted Flowise installations (both open-source and enterprise) remain vulnerable by default even on the current version. Flowise Cloud is not affected.
• A second CVE tracked as CVE-2026-58057 was disclosed the same week: Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using case-sensitive comparison, so on Windows supplying node_options bypasses the NODE_OPTIONS denylist entry, enabling the same RCE path.
• This follows Obsidian's earlier research into a similar RCE in Langflow (CVE-2026-12045 / CVE-2026-7524), where hackers exploited a critical bug within 20 hours of disclosure.

Why It Matters

Flowise is one of the most widely deployed open-source AI agent builders. The stdio MCP transport is enabled by default and designed to execute arbitrary commands — making it a native RCE surface. Shared workflow files are a core collaboration feature, meaning the attack vector is baked into normal usage. The bypassable patch demonstrates that input validation alone cannot secure a feature whose entire purpose is code execution.

What To Do

• Disable the stdio MCP transport in Flowise unless explicitly required. Switch Custom MCP protocol to Server-Sent Events (SSE), which removes the execution path entirely.
• Treat any imported MCP configuration or chatflow as untrusted code. Restrict imports to known, verified sources only.
• Upgrade to Flowise 3.1.3+ for the CVE-2026-58057 Windows bypass fix, but do not rely on the allowlist as a primary defense.
• Run self-hosted Flowise instances in isolated containers with minimal privileges and no direct access to internal networks or secrets.
• Monitor for CVE-2026-40933 exploitation in the wild — given the Langflow precedent (weaponized in 20 hours), expect rapid adoption by attackers.

Sources

• Infosecurity Magazine — Critical Flowise Flaw Gives Attackers Full Server Control
• Obsidian Security — When Is stdio MCP Actually a Vulnerability?
• Tenable — CVE-2026-58057 Flowise Windows bypass
• Threat-Modeling.com — June 2026 AI Framework Vulnerabilities