CVE-2026-56274
CriticalCVSS 9.9Exploitation Probability (EPSS)
High risk84th percentile — higher than 84% of all known CVEs
Summary
Flowise versions before 3.1.2 contain multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions.
Risk Assessment
An attacker with a Flowise account or API access can configure a malicious MCP server, leading to the execution of arbitrary commands on the Flowise host, posing a serious security threat.
Recommendation
It is recommended to update Flowise to version 3.1.2 or later to mitigate these vulnerabilities and implement additional security measures to restrict access to MCP features.
Original NVD description (English source)
Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.

