CVE-2026-40933: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe s
Summary
Flowise, a tool with a visual interface for building customized AI flows, has a vulnerability before version 3.1.0 where authenticated attackers can execute arbitrary commands on the server. The flaw exists in the MCP (model context protocol) adapter's handling of stdio commands, where input sanitization checks fail to prevent attackers from combining safe commands like "npx" with code execution arguments to run malicious commands on the underlying operating system.
Solution / Mitigation
Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
Vulnerability Details
9.9(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
network
low
low
none
April 21, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40933
First tracked: April 21, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%