https://feed.craftedsignal.io/tags/flowise/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 17 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-flowise-rce/Fri, 17 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-flowise-rce/Flowise versions 3.0.13 and earlier are vulnerable to authenticated arbitrary command execution due to unsafe serialization of stdio commands in the MCP adapter, allowing a malicious user to execute commands on the underlying operating system.Flowise is an open-source low-code platform to build customized AI flow. Versions 3.0.13 and earlier contain a critical vulnerability that allows authenticated users to execute arbitrary commands on the underlying operating system. This vulnerability stems from insufficient input sanitization within the MCP (Model Composition Protocol) adapter. By adding a new MCP using stdio, an attacker can inject malicious commands, bypassing existing sanitization checks. Specifically, the vulnerability lies in the “Custom MCP” configuration where commands like “npx” can be combined with code execution arguments (e.g., “npx -c touch /tmp/pwn”), leading to direct code execution. This vulnerability affects both the flowise and flowise-components packages.

Attack Chain

1. Attacker authenticates to the Flowise application.
2. Attacker navigates to the Custom MCP configuration page (e.g., /canvas).
3. Attacker creates a new Custom MCP adapter.
4. Attacker configures the MCP adapter to use stdio.
5. Attacker injects a malicious command, such as “npx -c touch /tmp/pwn”, into the command or arguments fields. This bypasses validateCommandInjection and validateArgsForLocalFileAccess checks.
6. Flowise application executes the attacker-supplied command via the MCP adapter.
7. Malicious command is executed on the underlying operating system.
8. Attacker achieves arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to achieve arbitrary command execution on the Flowise server. This could lead to complete system compromise, data theft, or denial of service. The vulnerability affects Flowise installations running versions 3.0.13 and earlier. The number of affected installations is currently unknown, but given the popularity of Flowise, the potential impact is significant.

Recommendation

• Upgrade Flowise and Flowise-components to a version greater than 3.0.13 to patch CVE-2026-40933.
• Monitor process creation events for the execution of “npx” with the “-c” argument where the parent process is the Flowise application. Deploy the provided Sigma rule Detect Flowise MCP Command Execution to identify potential exploitation attempts.
• Implement stricter input validation and sanitization measures within the MCP adapter configuration to prevent command injection attacks.

]]>criticaladvisoryflowisercecommand-injectionhttps://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/Thu, 16 Apr 2026 21:50:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/Flowise is vulnerable to SSRF protection bypass via unprotected built-in HTTP modules in the custom function sandbox, allowing authenticated users to access internal network resources by exploiting the lack of SSRF protection on Node.js `http`, `https`, and `net` modules.Flowise, a low-code platform for building custom automation workflows, is susceptible to a Server-Side Request Forgery (SSRF) protection bypass. This vulnerability stems from the application’s incomplete implementation of SSRF defenses. While axios and node-fetch libraries are secured with an HTTP_DENY_LIST, the built-in Node.js modules http, https, and net are permitted within the NodeVM sandbox without any equivalent restrictions. An authenticated attacker can exploit this oversight in Flowise version 3.0.13 and earlier to make arbitrary HTTP requests to internal network resources. This issue allows bypassing intended security controls and potentially accessing sensitive information, such as cloud provider metadata services.

Attack Chain

1. The attacker authenticates to a Flowise instance using a valid API key or session.
2. The attacker crafts a malicious JavaScript payload designed to exploit the custom function feature.
3. The malicious payload imports the built-in http module.
4. The payload constructs an HTTP request targeting an internal resource, such as the AWS metadata service at 169.254.169.254.
5. The request includes a header to obtain an IAM token: 'X-aws-ec2-metadata-token-ttl-seconds': '21600'.
6. The payload uses the obtained IAM token to request temporary AWS credentials from the metadata service.
7. The custom function executes the code within the NodeVM sandbox, bypassing the intended SSRF protection.
8. The attacker retrieves the temporary AWS credentials from the metadata service, potentially leading to unauthorized access to AWS resources.

Impact

Successful exploitation of this SSRF vulnerability can have significant consequences. Attackers can steal temporary IAM credentials from cloud provider metadata services, granting them unauthorized access to other cloud resources. Furthermore, they can scan internal networks to discover services and identify additional attack targets. The ability to reach databases, admin panels, and other internal APIs that should not be externally accessible poses a severe security risk, potentially leading to data breaches or system compromise. All Flowise deployments where HTTP_DENY_LIST is configured for SSRF protection are vulnerable, while deployments without it are already generally vulnerable to SSRF.

Recommendation

• Apply the necessary patches to Flowise to remediate the SSRF vulnerability as described in GHSA-xhmj-rg95-44hv.
• Deploy the following Sigma rule to detect exploitation attempts involving the http module targeting common cloud metadata endpoints: Flowise SSRF Using HTTP Module.
• Enable logging of HTTP requests originating from the Flowise server to aid in identifying and investigating potential SSRF attacks.
• Review and harden network segmentation to limit the impact of potential SSRF vulnerabilities.
• Consider disabling the custom function feature if it is not essential to the functionality of the Flowise deployment.

]]>highadvisoryssrfflowisecloud