A critical flaw in the open-source AI platform Flowise has been disclosed, along with working proof-of-concept (PoC) code, allowing an attacker to take over a server when a logged-in user simply imports a malicious workflow file.
According to new analysis from Obsidian Security, the bug, tracked as CVE-2026-40933, affects Flowise, a widely used platform for building large language model (LLM) workflows and AI agents with more than 52,000 GitHub stars. Self-hosted deployments are vulnerable by default, while the managed Flowise Cloud service is not affected.
The finding builds on the firm’s earlier research into a similar remote code execution (RCE) flaw in Langflow, another open-source AI platform. Obsidian released a PoC exploit with its disclosure and warned that the official fix can be circumvented, leaving the latest release exposed.
Custom MCP Tool Spawns Server Commands
The weakness lies in Flowise’s Custom MCP tool, a feature that lets users wire external services into the Model Context Protocol (MCP).
When set to the stdio transport, the tool launches a user-supplied command as a child process on the Flowise server, with no sandbox around it.
Because Flowise lets users export and share these workflows, known as chatflows, an attacker can hide a malicious command inside one.
Obsidian found that merely importing such a chatflow is enough to run the command, since the editor automatically queries the configured server as the workflow loads onto the canvas. No save, run or approval step is needed before the code executes.
A Patch That Can Be Bypassed
Flowise answered the disclosure with an input-validation layer that allow lists permitted commands and blocks risky arguments.
However, Obsidian said this treats the symptom rather than the cause, because the feature is built to execute code and an attacker can still express malicious behavior inside the allowed input.
Read more on RCE flaws in AI agent platforms: Hackers Exploit Critical Langflow Bug in Just 20 Hours
The upshot is that self-hosted installations, both open-source and enterprise, stay vulnerable by default even on the current version. Obsidian argued that stdio MCP should be switched off unless it is explicitly needed, rather than left running behind validation checks that can be worked around.
The most effective protection is to disable the stdio transport by switching Flowise’s Custom MCP protocol to Server-Sent Events (SSE), which removes the execution path entirely.
Teams that rely on the feature were urged to treat any imported MCP configuration as code, restrict it to trusted sources and avoid loading shared chatflows from unknown origins.
