CVE-2026-56274
CRITICAL
NVD
CVSS Score
9.9
Severity
CRITICAL
Published
Jun 23, 2026
Vendor
unknown
Description
Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.
References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q
- https://www.vulncheck.com/advisories/flowise-remote-code-execution-via-mcp-security-bypass-in-validatecommandflags-and-validateargsforlocalfileaccess
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q