GHSA-m99r-2hxc-cp3q: Flowise has an MCP Security Bypass that Enables RCE
highvulnerability
security
Source: GitHub Advisory DatabaseMay 14, 2026
Summary
Flowise, a tool for building AI applications, has a security vulnerability in its MCP feature (model context protocol, which lets AI tools run system commands) that allows attackers to bypass command restrictions and execute arbitrary code. The vulnerability has three bypass methods: the 'docker build' command isn't blocked (allowing remote code execution through malicious Dockerfiles), the 'npx --yes' long parameter isn't blocked (allowing installation of malicious packages), and a third unspecified method. Any Flowise user can exploit this if the system has docker or npx installed.
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LangChain
Affected Packages
flowise-components@<= 3.1.1 (fixed: 3.1.2)flowise@<= 3.1.1 (fixed: 3.1.2)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-m99r-2hxc-cp3q
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%