Skip to main content

Flowise CVE-2025-71336

| EUVDEUVD-2025-210342 CRITICAL
OS Command Injection (CWE-78)
2026-06-25 VulnCheck GHSA-q2xp-j85q-883h
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Default no-auth install and attacker-set internal header make it remote and unauthenticated (PR:N, AC:L), and direct command execution yields full C/I/A loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 23:04 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 22:34 vuln.today
Analysis Generated
Jun 25, 2026 - 22:34 vuln.today

DescriptionCVE.org

Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.

AnalysisAI

Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.

Technical ContextAI

Flowise is a low-code/no-code visual builder for LLM orchestration flows. The vulnerability is an OS command injection (CWE-78) rooted in the Custom MCP node, which by design executes a configurable 'command' plus 'args' to launch Model Context Protocol servers. The customMCP node-load-method handler passes the user-supplied mcpServerConfig directly to a child-process invocation without sandboxing, allowlisting, or privilege separation. The 'x-request-from: internal' header is an internal trust marker the application honors, and combined with Flowise's minimal auth model (no RBAC, optional basic auth disabled by default per the affected CPE cpe:2.3:a:flowise:flowise:*) it allows the command/args fields to be set to any binary, e.g. touch, nc, /bin/sh.

RemediationAI

Upgrade to Flowise 3.0.6 or later (Vendor-released patch: 3.0.6); the fix is in PR https://github.com/FlowiseAI/Flowise/pull/5201 and commit ac7cf30e019cde54905bf09b5d3fe1c6ba42f9b9. If you cannot upgrade immediately, set FLOWISE_USERNAME and FLOWISE_PASSWORD to enable basic authentication and place the instance behind an authenticating reverse proxy, restrict network access to the /api/v1/node-load-method/customMCP endpoint, and where possible disable or remove the Custom MCP feature - accepting that doing so breaks legitimate local MCP server launching. Additionally, strip or reject the 'x-request-from: internal' header at the proxy layer so external clients cannot assert internal trust, run the Flowise container as a non-root, least-privilege user with no outbound network egress, and consider sandboxing Custom MCP execution as recommended in GHSA-6933-jpx5-q87q. Refer to the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6933-jpx5-q87q for vendor guidance.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2025-71336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy