Flowise Custom MCP RCE (CVE-2026-40933)
Vulnerability
Summary
Hide ▲
Show ▼
A critical RCE flaw in Flowise tracked as CVE-2026-40933 lets an attacker take over self-hosted deployments when a logged-in user imports a malicious workflow file. The weakness sits in the Custom MCP tool and its stdio transport, where user-supplied commands can run on the server. Obsidian Security published working PoC code and said the disclosed fix can be bypassed. The managed Flowise Cloud service is not affected, but operators running the open-source platform should disable stdio and use SSE.
Related Happenings
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Tick Motex Lanscope CVE-2025-61932 exploitation campaign
Campaign
First: 31.10.2025 15:26
Last: 31.10.2025 15:26
Sources 1
About this happening:
A **Tick (Bronze Butler)** campaign exploited **CVE-2025-61932** in **Motex Lanscope Endpoint Manager** to deploy **Gokcpdoor** and gain remote access to compromised hosts. The op...
Tick Motex Lanscope CVE-2025-61932 exploitation campaign
CampaignAbout this happening: A **Tick (Bronze Butler)** campaign exploited **CVE-2025-61932** in **Motex Lanscope Endpoint Manager** to deploy **Gokcpdoor** and gain remote access to compromised hosts. The op...
Timeline
-
01.06.2026 17:00 2 articles · 3h ago
Critical Flowise flaw enables server takeover through malicious workflow imports
Initial DisclosureObsidian Security disclosed CVE-2026-40933 in Flowise, showing that the Custom MCP tool can launch a user-supplied command as a child process when a logged-in user imports a malicious chatflow or workflow file. The disclosure included working PoC code, said self-hosted Flowise deployments are vulnerable by default while Flowise Cloud is not affected, and recommended disabling the stdio transport in favor of SSE because the input-validation layer can be bypassed.
Show sources
- Critical Flowise Flaw Gives Attackers Full Server Control — www.infosecurity-magazine.com — 01.06.2026 17:00
- Critical Flowise Flaw Gives Attackers Full Server Control — www.infosecurity-magazine.com — 01.06.2026 17:00