Vulnerability intelligence

CVE-2026-40933

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas where any user can add a new MCP, when doing so adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.

CVSS Score

Critical

EPSS — Exploit Probability

0.1%

Riskier than 22% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

2 articles across 2 outlets · first covered May 30, 2026 · latest Jun 1, 2026

Coverage timeline

Critical Flowise Bug CVE-2026-40933 Lets Attackers Hijack Servers
www.infosecurity-magazine.com · Jun 1, 2026
Flowise AI tool hit by critical RCE flaw CVE-2026-40933
www.securityweek.com · May 30, 2026