{"data":{"id":"b38bb1c1-4386-4f08-9761-c3f71dcbeaf2","title":"Flowise’s MCP implementation can run ghost commands","summary":"Flowise, an open-source platform for building self-hosted AI assistants, has a critical remote code execution (RCE, where attackers can run commands on a system they don't own) vulnerability in its Model Context Protocol (MCP, a system that lets AI agents interact with local tools and files) stdio server implementation. The flaw allows attackers to execute arbitrary commands with the privileges of the Flowise process by importing a malicious chatflow, and Flowise's attempted patches using input validation have proven ineffective.","solution":"The only complete mitigation explicitly recommended by researchers is to disable MCP stdio by setting \"CUSTOM_MCP_PROTOCOL=sse\". For deployments that cannot disable this feature without disrupting operations, the researchers suggest pinning trusted packages where possible and reviewing imported chatflows from untrusted sources, though these are presented as partial measures rather than complete fixes.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4179309/flowises-mcp-implementation-can-run-ghost-commands.html","publishedAt":"2026-06-01T12:01:03.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":[],"issueType":"news","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise","Obsidian Security"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-01T12:01:03.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}