CVE-2026-40933

Aliases:GHSA-c9gw-hvqq-f33r

Received

Published: 21 Apr 2026, 21:00

Last modified:21 Apr 2026, 21:00

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

10 CRITICAL

v3.1 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Apr 2026, 21:00

Published

Vulnerability first disclosed

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.

CVSS Metrics

v3.1•CRITICAL•Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Techniques & Countermeasures

CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Systems

flowiseai•flowise
< 3.1.0
flowiseai•flowise-components
< 3.1.0
Npm•flowise
< 3.1.0
Npm•flowise-components
< 3.1.0