Flowise’s MCP implementation can run ghost commands
Summary
Flowise, an open-source platform for building self-hosted AI assistants, has a critical remote code execution (RCE, where attackers can run commands on a system they don't own) vulnerability in its Model Context Protocol (MCP, a system that lets AI agents interact with local tools and files) stdio server implementation. The flaw allows attackers to execute arbitrary commands with the privileges of the Flowise process by importing a malicious chatflow, and Flowise's attempted patches using input validation have proven ineffective.
Solution / Mitigation
The only complete mitigation explicitly recommended by researchers is to disable MCP stdio by setting "CUSTOM_MCP_PROTOCOL=sse". For deployments that cannot disable this feature without disrupting operations, the researchers suggest pinning trusted packages where possible and reviewing imported chatflows from untrusted sources, though these are presented as partial measures rather than complete fixes.
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://www.csoonline.com/article/4179309/flowises-mcp-implementation-can-run-ghost-commands.html
First tracked: June 1, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%