What happened
Flowise versions up to 2.2.7-patch.1 contain an unsandboxed RCE vulnerability in the Custom MCP feature, which is designed to execute OS commands to launch local MCP servers. Because Flowise's auth model is minimal and authentication is disabled by default, an unauthenticated attacker can spoof an internal request header and supply arbitrary OS commands that execute with the privileges of the Flowise process, achieving complete container compromise.
Why it matters
Flowise is a widely-deployed no-code LLM/agent orchestration platform. The MCP feature is intended for trusted local use but exposes a direct OS command execution path with no sandboxing. Unauthenticated exploitation means any network-reachable Flowise instance is a full RCE target — an attacker can exfiltrate all embedded API keys, model configs, and agent tool credentials, or pivot to connected services.
Attack vector
Attacker sends a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint; no credentials required. The Custom MCP feature executes OS commands directly without sandboxing, yielding full container/server compromise.
Affected systems
Flowise ≤ 2.2.7-patch.1 (fixed in 3.0.6)
Mitigation
Upgrade to Flowise 3.0.6. Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6933-jpx5-q87q