Public exploit code is now available for a critical Flowise bug that can let attackers take over self-hosted AI workflow servers by getting someone to import a malicious chatflow. The flaw, CVE-2026-40933 (CVSS 9.9), affects Flowise before 3.1.0 and stems from unsafe handling of Anthropic Model Context Protocol (MCP) stdio commands in the MCP adapter. Importing a crafted chatflow can trigger command execution during tool enumeration, leading to operating-system-level code execution with the Flowise process's privileges. Flowise Cloud is not affected because stdio MCP is disabled there.
Why it matters: Organizations running self-hosted Flowise should treat this as urgent because working exploit code lowers the barrier to real attacks and the flaw can expose stored credentials and connected services. Update to 3.1.0 or later and limit who can create or import chatflows, especially where Flowise is connected to databases, APIs, or cloud accounts.
Ionut Arghire
2026.05.30
100% relevant
This article establishes a distinct escalation in the Flowise CVE-2026-40933 story by reporting that technical details and proof-of-concept code have been published, making the exploit path concrete and actionable for defenders.
← Back to all stories