Bottom line: CVE-2026-40933 enables Remote Code Execution with CVSS 9.9 through unsanitized MCP configurations in self-hosted Flowise instances.
In self-hosted Flowise deployments, a sandboxing weakness in the Model Context Protocol (MCP) implementation allows post-authentication Remote Code Execution. Attackers can execute arbitrary operating system commands via the stdio-MCP interface.
Obsidian Security has disclosed a critical vulnerability in Flowise that allows authenticated attackers to execute arbitrary operating system commands. The vulnerability (CVE-2026-40933) affects the stdio-server implementation of the Model Context Protocol and has been rated CVSS 9.9. An exploit is already publicly available.
The problem lies in the fact that Flowise allows users to configure MCP-stdio servers with arbitrary commands – these are then executed by the operating system. Since the stdio interface is designed for local process invocations, attackers can thereby abuse the file systems, databases, credentials, and SSH access of the Flowise process. In containerized environments, this often corresponds to root-level access to the host. A successful compromise exposes API keys, databases, cloud resources, and all SaaS applications accessible via Flowise.
Flowise had implemented several patch iterations: first a standard-enabled validation layer (#5232), then flag validations (#5741, #5943). According to Obsidian Security, however, these protective mechanisms can be bypassed under certain conditions. The root issue – that users can configure stdio-MCP at all – was not addressed. Flowise declined to disable stdio-MCP by default and release it only with explicit opt-in, as it did not want to “completely shut off” features that users might depend on.
Flowise Cloud is not affected, as stdio-MCP is not enabled there. For self-hosted deployments, researchers recommend as the only complete mitigation disabling MCP stdio by setting CUSTOM_MCP_PROTOCOL=sse. Those unable to do so should at least review chatflow imports from untrusted sources and pin versions of trusted packages.
Source: www.csoonline.com · Published June 1, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.8.