Flowise Drag-and-Drop Now Drags in Remote Code Too (CVE-2026-40933)

Key Takeaways

• CVE-2026-40933, disclosed in April 2026, is an authenticated remote command execution flaw in Flowise, a widely used open-source AI workflow builder.
• Adding a Custom MCP server via Flowise’s canvas lets an authenticated attacker supply an arbitrary command that bypasses validateCommandInjection and related sanitization.
• Reporting describes around 200,000 vulnerable instances tied to roughly 150 million downloads, with about 7,000 servers publicly accessible at disclosure.
• The fix is in Flowise 3.1.0; older instances remain exposed until upgraded.
• Related coverage highlights broader MCP registry hygiene concerns, with 9 of 11 surveyed registries hosting malicious or suspect listings.

Summary

CVE-2026-40933 is an authenticated remote command execution flaw in Flowise’s Model Context Protocol adapter, disclosed in April 2026. An authenticated user can add a Custom MCP stdio server with an arbitrary command that bypasses the builder’s sanitization and runs on the host. Flowise patched the issue in 3.1.0, but approximately 7,000 publicly accessible servers and 200,000 vulnerable instances remained at disclosure.

What We Know

Flowise is a widely used open-source low-code AI workflow builder with roughly 150 million downloads and around 200,000 active instances. In April 2026, security researchers disclosed CVE-2026-40933, an authenticated RCE in its MCP adapter, first reported across Cybersecurity News and GBHackers.

The underlying cause is unsafe serialization of stdio commands within the adapter. An authenticated user adding a Custom MCP server through the canvas can supply an arbitrary command despite sanitization functions such as validateCommandInjection and validateArgsForLocalFileAccess and a predefined safe-command list. The bypass allows the supplied command to execute under the Flowise host process. At disclosure, roughly 7,000 Flowise instances were directly accessible on the public internet. Flowise 3.1.0 contains the fix; maintainers advised all operators to upgrade immediately.

What Happened

The failure is a classic input-validation gap with an AI-ecosystem twist. Flowise’s Custom MCP configuration accepts stdio command specifications and routes them through serialization logic before execution. The sanitization functions were intended to reject dangerous inputs, but the serialization path permitted structures that defeated those checks. An authenticated attacker could therefore craft a Custom MCP definition that passed validation but produced an execution-time command of the attacker’s choosing.

Traditional RCE patterns are well understood. The AI-specific aggravator is the Model Context Protocol interface and the pattern of treating MCP servers as trusted, because they sit inside the AI builder surface and are routinely added and removed during workflow authoring. That operational trust collapsed the review that would otherwise accompany a new command entering a server-side execution context. Coupled with MCP registry hygiene problems surfacing across the ecosystem, Flowise’s exposure is one instance of a larger pattern: MCP trust boundaries are not yet codified in a way developer platforms can rely on.

Why It Matters

CVE-2026-40933 sits at the intersection of two emerging enterprise risks. The first is the operational reach of low-code AI builders. Flowise and its peers are installed across internal platform teams because they accelerate agent prototyping, and an RCE in that class of tool grants attackers access to the secrets, data, and downstream systems hosted alongside the builder. The second is the expanding supply-chain surface of MCP.

A related McKinsey AI platform breach on the PointGuard site shows how fast an authenticated-but-exposed internal AI platform can be pushed into a broader incident. Regulators will view this as concrete evidence that the MCP ecosystem needs clearer guardrails. For enterprise security teams, the lesson is that internal AI builder platforms must be on the patch and inventory treadmill that runs alongside traditional developer tooling. The public-accessibility footprint at disclosure means active exploitation is plausible in the weeks ahead.

PointGuard AI Perspective

Flowise’s CVE-2026-40933 highlights why PointGuard AI focuses on continuous visibility across the AI builder and MCP surface, not only on models. PointGuard AI’s AI security posture management capability inventories every AI builder platform and MCP server active inside an enterprise, the versions each instance carries, the custom configurations that govern runtime behavior, and the authenticated users who can modify them.

When a Flowise instance runs an affected version, PointGuard flags the exposure and pairs it with a concrete upgrade path. PointGuard’s supply-chain risk management product extends that visibility across the broader MCP registry ecosystem, treating each registry and adapter as a scored dependency with its own vulnerability history and provenance record. For enterprises running internal AI builder platforms, the right answer is not to slow prototyping but to wrap it in posture and scoring discipline, so internal AI innovation and enterprise security posture grow together rather than in opposition.

Incident Scorecard Details

Total AISSI Score: 6.0/10

Criticality = 7, Flowise hosts backing services and secrets in many deployments, AISSI weighting: 25%

Propagation = 7, Broad adoption among hobbyist-to-production AI builders; registry-level issue compounds exposure, AISSI weighting: 20%

Exploitability = 5, Technical details sufficient for weaponization; no confirmed in-the-wild exploitation, AISSI weighting: 15%

Supply Chain = 7, MCP registry hygiene is systemic, AISSI weighting: 15%

Business Impact = 4, Potential only; upgrade pressure on operators, AISSI weighting: 25%

Sources

• Critical Vulnerability in Flowise Allows Remote Command Execution Via MCP Adapters - Cybersecurity News
• Critical Flowise Flaw Enables Remote Command Execution via MCP Adapters - GBHackers
• CVE-2026-40933: Flowise: Authenticated RCE Via MCP Adapters - GitHub Advisory Database