CVE Catalog

CVE-2026-56274

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
2.68%

84th percentile — higher than 84% of all known CVEs

Summary

Flowise versions before 3.1.2 contain multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions.

Risk Assessment

An attacker with a Flowise account or API access can configure a malicious MCP server, leading to the execution of arbitrary commands on the Flowise host, posing a serious security threat.

Recommendation

It is recommended to update Flowise to version 3.1.2 or later to mitigate these vulnerabilities and implement additional security measures to restrict access to MCP features.

Original NVD description (English source)

Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS