What happened
Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature. Incomplete command-flag validation and a bypass of the local file access restriction regex allow any authenticated Flowise user (any role) or an API user with view/update permissions to inject arbitrary OS commands that are executed by the server. CVSS 9.9 Critical, published 2026-06-23.
Why it matters
Flowise is a widely-used no-code LLM agent builder. The MCP integration is a primary use case. This means any low-privilege Flowise account holder — including API integrations — can achieve full server RCE through the MCP feature, compromising the underlying host, all stored credentials, connected data sources, and agent tool access.
Attack vector
Authenticated HTTP request to the Custom MCP Server configuration endpoint with crafted command flags or regex-bypassing payloads; OS commands execute as the Flowise server process
Affected systems
Flowise < 3.1.2
Mitigation
Upgrade to Flowise 3.1.2. Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q