Flowise

Flowise versions 3.1.1 and earlier are vulnerable to remote code execution (RCE) due to multiple MCP security bypasses, allowing attackers to execute arbitrary commands on the Flowise server by exploiting blocklist weaknesses in docker build, npx, and node command handling.

A missing authentication vulnerability in Flowise versions prior to 3.0.5 allows attackers to perform critical functions without authentication, and a working exploit is publicly available on Exploit-DB.

Flowise versions 3.0.13 and earlier are vulnerable to authenticated arbitrary command execution due to unsafe serialization of stdio commands in the MCP adapter, allowing a malicious user to execute commands on the underlying operating system.

Flowise is vulnerable to SSRF protection bypass via unprotected built-in HTTP modules in the custom function sandbox, allowing authenticated users to access internal network resources by exploiting the lack of SSRF protection on Node.js `http`, `https`, and `net` modules.