{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/flowise/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowise","rce","command-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowise is an open-source low-code platform to build customized AI flow. Versions 3.0.13 and earlier contain a critical vulnerability that allows authenticated users to execute arbitrary commands on the underlying operating system. This vulnerability stems from insufficient input sanitization within the MCP (Model Composition Protocol) adapter. By adding a new MCP using stdio, an attacker can inject malicious commands, bypassing existing sanitization checks. Specifically, the vulnerability lies in the \u0026ldquo;Custom MCP\u0026rdquo; configuration where commands like \u0026ldquo;npx\u0026rdquo; can be combined with code execution arguments (e.g., \u0026ldquo;npx -c touch /tmp/pwn\u0026rdquo;), leading to direct code execution. This vulnerability affects both the \u003ccode\u003eflowise\u003c/code\u003e and \u003ccode\u003eflowise-components\u003c/code\u003e packages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Flowise application.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Custom MCP configuration page (e.g., \u003ccode\u003e/canvas\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker creates a new Custom MCP adapter.\u003c/li\u003e\n\u003cli\u003eAttacker configures the MCP adapter to use stdio.\u003c/li\u003e\n\u003cli\u003eAttacker injects a malicious command, such as \u0026ldquo;npx -c touch /tmp/pwn\u0026rdquo;, into the command or arguments fields. This bypasses \u003ccode\u003evalidateCommandInjection\u003c/code\u003e and \u003ccode\u003evalidateArgsForLocalFileAccess\u003c/code\u003e checks.\u003c/li\u003e\n\u003cli\u003eFlowise application executes the attacker-supplied command via the MCP adapter.\u003c/li\u003e\n\u003cli\u003eMalicious command is executed on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated attacker to achieve arbitrary command execution on the Flowise server. This could lead to complete system compromise, data theft, or denial of service. The vulnerability affects Flowise installations running versions 3.0.13 and earlier. The number of affected installations is currently unknown, but given the popularity of Flowise, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Flowise and Flowise-components to a version greater than 3.0.13 to patch CVE-2026-40933.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;npx\u0026rdquo; with the \u0026ldquo;-c\u0026rdquo; argument where the parent process is the Flowise application. Deploy the provided Sigma rule \u003ccode\u003eDetect Flowise MCP Command Execution\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization measures within the MCP adapter configuration to prevent command injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-flowise-rce/","summary":"Flowise versions 3.0.13 and earlier are vulnerable to authenticated arbitrary command execution due to unsafe serialization of stdio commands in the MCP adapter, allowing a malicious user to execute commands on the underlying operating system.","title":"Flowise Authenticated Remote Code Execution via MCP Adapter","url":"https://feed.craftedsignal.io/briefs/2026-04-flowise-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","flowise","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowise, a low-code platform for building custom automation workflows, is susceptible to a Server-Side Request Forgery (SSRF) protection bypass. This vulnerability stems from the application\u0026rsquo;s incomplete implementation of SSRF defenses. While \u003ccode\u003eaxios\u003c/code\u003e and \u003ccode\u003enode-fetch\u003c/code\u003e libraries are secured with an \u003ccode\u003eHTTP_DENY_LIST\u003c/code\u003e, the built-in Node.js modules \u003ccode\u003ehttp\u003c/code\u003e, \u003ccode\u003ehttps\u003c/code\u003e, and \u003ccode\u003enet\u003c/code\u003e are permitted within the NodeVM sandbox without any equivalent restrictions. An authenticated attacker can exploit this oversight in Flowise version 3.0.13 and earlier to make arbitrary HTTP requests to internal network resources. This issue allows bypassing intended security controls and potentially accessing sensitive information, such as cloud provider metadata services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to a Flowise instance using a valid API key or session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload designed to exploit the custom function feature.\u003c/li\u003e\n\u003cli\u003eThe malicious payload imports the built-in \u003ccode\u003ehttp\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe payload constructs an HTTP request targeting an internal resource, such as the AWS metadata service at \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a header to obtain an IAM token: \u003ccode\u003e'X-aws-ec2-metadata-token-ttl-seconds': '21600'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe payload uses the obtained IAM token to request temporary AWS credentials from the metadata service.\u003c/li\u003e\n\u003cli\u003eThe custom function executes the code within the NodeVM sandbox, bypassing the intended SSRF protection.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the temporary AWS credentials from the metadata service, potentially leading to unauthorized access to AWS resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can have significant consequences. Attackers can steal temporary IAM credentials from cloud provider metadata services, granting them unauthorized access to other cloud resources. Furthermore, they can scan internal networks to discover services and identify additional attack targets. The ability to reach databases, admin panels, and other internal APIs that should not be externally accessible poses a severe security risk, potentially leading to data breaches or system compromise. All Flowise deployments where \u003ccode\u003eHTTP_DENY_LIST\u003c/code\u003e is configured for SSRF protection are vulnerable, while deployments without it are already generally vulnerable to SSRF.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches to Flowise to remediate the SSRF vulnerability as described in GHSA-xhmj-rg95-44hv.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts involving the \u003ccode\u003ehttp\u003c/code\u003e module targeting common cloud metadata endpoints: \u003ccode\u003eFlowise SSRF Using HTTP Module\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable logging of HTTP requests originating from the Flowise server to aid in identifying and investigating potential SSRF attacks.\u003c/li\u003e\n\u003cli\u003eReview and harden network segmentation to limit the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003cli\u003eConsider disabling the custom function feature if it is not essential to the functionality of the Flowise deployment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T21:50:12Z","date_published":"2026-04-16T21:50:12Z","id":"/briefs/2024-01-09-flowise-ssrf/","summary":"Flowise is vulnerable to SSRF protection bypass via unprotected built-in HTTP modules in the custom function sandbox, allowing authenticated users to access internal network resources by exploiting the lack of SSRF protection on Node.js `http`, `https`, and `net` modules.","title":"Flowise SSRF Protection Bypass via Unprotected Built-in HTTP Modules","url":"https://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Flowise","version":"https://jsonfeed.org/version/1.1"}