Flowise CVE-2026-40933 — MCP stdio Transport RCE on Import

AI relevance: Flowise is a widely deployed platform for building LLM agent workflows — this vulnerability lets an attacker achieve full server compromise the moment a user imports a malicious workflow, with no save or run step required.

  • CVE-2026-40933 is a critical remote code execution flaw in Flowise, an open-source LLM workflow builder with 52,000+ GitHub stars.
  • The vulnerability lives in Flowise's Custom MCP tool when configured with stdio transport — it launches user-supplied commands as child processes on the server with no sandbox.
  • Importing a malicious chatflow (workflow file) is sufficient to trigger execution — the editor automatically queries the configured server as the workflow loads onto the canvas.
  • No save, run, or approval step is needed before the code executes; the attack fires on import alone.
  • Flowise's official patch adds input validation with an allowlist, but Obsidian Security warns it can be bypassed because the feature is designed to execute code.
  • Self-hosted deployments (both open-source and enterprise editions) are vulnerable by default; Flowise Cloud is not affected.
  • The finding follows a similar RCE in Langflow, highlighting a pattern: MCP stdio transport in AI workflow tools creates an unsandboxed execution path.

Why it matters

Flowise is a popular platform for building agentic AI workflows. The stdio MCP transport is a legitimate feature for connecting to external services, but it spawns child processes on the server without isolation. When combined with a workflow import feature that auto-executes queries on load, the result is a one-click RCE: an attacker crafts a malicious chatflow, gets a victim to import it, and code runs before any human interaction beyond the import click.

The bypassable patch is the deeper concern. Input validation on a feature designed to execute arbitrary commands is a whack-a-mole approach. The attack surface remains open by default.

What to do

  • Disable stdio transport — switch Flowise's Custom MCP protocol to Server-Sent Events (SSE), which removes the execution path entirely.
  • Treat imported chatflows as code — restrict imports to trusted sources; do not load shared workflows from unknown origins.
  • Audit existing deployments — check whether stdio MCP is enabled and whether any untrusted chatflows have been imported.
  • Isolate Flowise instances — run behind network segmentation with minimal outbound access; do not expose to the public internet.

Sources