CVE-2026-56274: Critical OS Command Injection in Flowise

Summary

A critical OS command injection vulnerability has been discovered in Flowise, the popular open-source AI agent and LLM workflow orchestration platform. The flaw exists in the Custom MCP Server feature and allows authenticated attackers to achieve remote code execution on the host system.

Affected Versions

All versions of Flowise before 3.1.2 are vulnerable.

Technical Details

The vulnerability resides in Flowise's Custom MCP (Model Context Protocol) node, which allows users to configure stdio MCP servers that launch as child processes. Two validation mechanisms are bypassed:

• Command flag validation bypass: The blocklist for dangerous flags is incomplete. For example, docker build is not blocked, and npx --yes passes while only -y was explicitly blocked.
• Local file access restriction bypass: A regex bypass allows attackers to circumvent validateArgsForLocalFileAccess checks.

An attacker with a Flowise account (any role) or API access with view/update permissions for chatflows can configure a malicious MCP server to execute arbitrary commands on the Flowise host server.

Mitigation Guidance

Until a patched version is released, organizations running Flowise should:

1. Disable the Custom MCP Server feature if not in active use
2. Restrict API access to trusted users and IP ranges
3. Monitor for unusual child processes spawned by the Flowise service
4. Apply network segmentation to limit the blast radius

This is the third command-injection CVE targeting the same Custom MCP feature this year, following CVE-2026-40933 (CVSS 9.9) and CVE-2025-59528 (CVSS 10.0). Each fix narrowed the attack surface incrementally, and each time researchers found a new bypass.

References

• NVD Entry for CVE-2026-56274
• CVE Record
• Flowise GitHub Repository