Technical description
Obsidian Security researchers disclosed a one-click remote code execution vulnerability in Flowise, an open-source AI-agent workflow platform with 52,000+ GitHub stars. The root cause is that Custom MCP's stdio transport is a code-execution primitive — it spawns configured commands as child processes. When an authorised user imports a crafted chatflow artifact, the stdio MCP configuration is processed immediately, triggering arbitrary server-side OS command execution without any additional user interaction. Flowise Cloud is not affected because stdio MCP is disabled there; self-hosted Flowise installations using Custom MCP are the affected surface.
Attack vector
An attacker crafts a malicious Flowise chatflow export (JSON artifact) and convinces an authorised user to import it via the normal chatflow import UI. Import alone — before the workflow is run — triggers the server-side execution. The attack can be delivered through shared chatflow links, supply-chain compromise of chatflow templates, or social engineering.
Affected systems
Self-hosted Flowise installations with Custom MCP enabled (stdio transport). Flowise Cloud (flowise.ai hosted service) is explicitly not affected. Affects Flowise versions prior to the patch; check vendor disclosure for exact version range.
Mitigation
Disable stdio MCP in self-hosted Flowise: set `CUSTOM_MCP_PROTOCOL=sse` (SSE transport does not spawn local processes). Restrict chatflow import to trusted administrators only. Isolate Flowise server processes in containers with no host filesystem or credential access. Monitor for child process spawns from the Flowise Node.js process. Apply the vendor patch when available.