Obsidian Security has released technical information and proof-of-concept (PoC) code targeting a remote code execution (RCE) vulnerability in Flowise.
The issue, tracked as CVE-2026-40933 (CVSS score of 9.9), was disclosed in April along with several other security defects impacting AI ecosystems that rely on Anthropic’s MCP protocol.
Flowise, a popular open source platform that provides developers with a drag-and-drop interface for building LLM flows and AI agents, and which has over 52,000 GitHub stars, was flagged as one of the impacted products.
According to OX Security, the root cause of the issue is a “by design”, systemic command injection vulnerability in Anthropic MCP, which propagates through the ecosystem.
[Learn More: SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay]
A NIST advisory describes CVE-2026-40933 as an unsafe serialization of stdio commands in the MCP adapter, allowing an attacker to add an MCP stdio server with an arbitrary command and achieve code execution.
The security weakness existed because Flowise before version 3.1.0 allowed any user to add a new MCP and, when doing so, to add any command, enabling code execution on the underlying OS.
According to Obsidian, the bug can be exploited by attackers to take over servers by simply convincing a user to import a crafted chatflow. The import action triggers arbitrary code execution on the server.
“Any user who can create or edit chatflows can add a Custom MCP Tool and supply a malicious stdio MCP configuration. In practice, this requires a malicious insider or a compromised user account,” Obsidian notes.
A remote attacker, the cybersecurity firm explains, can include a malicious command in a Custom MCP Tool configuration, export the chatflow as JSON, and share it with the victim. The payload abuses Flowise’s legitimate functionality to execute the malicious command during the import process.
“Flowise’s Custom MCP node has an ‘Available Actions’ dropdown that lists the tools exposed by the configured MCP server. To populate that dropdown, the canvas asks the backend to enumerate the server’s tools. With stdio transport, enumeration starts the configured command. Because the dropdown loads when the imported chatflow renders on the canvas, the import alone can spawn the command,” Obsidian notes.
The cybersecurity firm has published PoC code that, when imported, creates a shell back to Docker’s bridge address for the host.
Obsidian says successful exploitation of CVE-2026-40933 leads to “OS-level execution with the Flowise process’s privileges, often root in containerized deployments. Every credential stored in the platform is readable. Every connected service is reachable. Flowise in production is typically wired into databases, APIs, and cloud accounts; the blast radius scales with whatever it connects to.”
The cybersecurity firm notes that Flowise Cloud is not affected, because it has stdio MCP disabled. Self-hosted instances are vulnerable by default.
Related: Raising the Cybersecurity Stakes: Ante up for the Agentic Era
Related: Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks
Related: Anthropic Releases New Claude Sandbox, Security Guidance Plugin
Related: ‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery
