Flowise CVE-2026-40933 — MCP stdio Transport RCE on Import
AI relevance: Flowise is a widely deployed platform for building LLM agent workflows — this vulnerability lets an attacker achieve full server compromise the moment a user imports a malicious workflow, with no save or run step required.
- CVE-2026-40933 is a critical remote code execution flaw in Flowise, an open-source LLM workflow builder with 52,000+ GitHub stars.
- The vulnerability lives in Flowise's Custom MCP tool when configured with stdio transport — it launches user-supplied commands as child processes on the server with no sandbox.
- Importing a malicious chatflow (workflow file) is sufficient to trigger execution — the editor automatically queries the configured server as the workflow loads onto the canvas.
- No save, run, or approval step is needed before the code executes; the attack fires on import alone.
- Flowise's official patch adds input validation with an allowlist, but Obsidian Security warns it can be bypassed because the feature is designed to execute code.
- Self-hosted deployments (both open-source and enterprise editions) are vulnerable by default; Flowise Cloud is not affected.
- The finding follows a similar RCE in Langflow, highlighting a pattern: MCP stdio transport in AI workflow tools creates an unsandboxed execution path.
Why it matters
Flowise is a popular platform for building agentic AI workflows. The stdio MCP transport is a legitimate feature for connecting to external services, but it spawns child processes on the server without isolation. When combined with a workflow import feature that auto-executes queries on load, the result is a one-click RCE: an attacker crafts a malicious chatflow, gets a victim to import it, and code runs before any human interaction beyond the import click.
The bypassable patch is the deeper concern. Input validation on a feature designed to execute arbitrary commands is a whack-a-mole approach. The attack surface remains open by default.
What to do
- Disable stdio transport — switch Flowise's Custom MCP protocol to Server-Sent Events (SSE), which removes the execution path entirely.
- Treat imported chatflows as code — restrict imports to trusted sources; do not load shared workflows from unknown origins.
- Audit existing deployments — check whether stdio MCP is enabled and whether any untrusted chatflows have been imported.
- Isolate Flowise instances — run behind network segmentation with minimal outbound access; do not expose to the public internet.