Updated
Updated · InfoWorld · Jun 1
Obsidian Details Flowise 9.9 RCE via One-Click MCP Import
Updated
Updated · InfoWorld · Jun 1

Obsidian Details Flowise 9.9 RCE via One-Click MCP Import

3 articles · Updated · InfoWorld · Jun 1
  • CVE-2026-40933 lets attackers trigger post-auth remote code execution in self-hosted Flowise with a single malicious chatflow import, before any save or run step.
  • Flowise’s MCP stdio feature accepts attacker-controlled server configurations with arbitrary commands, and those commands execute with the Flowise process’s privileges—potentially root in containerized deployments.
  • Obsidian said Flowise’s patch rounds, including checks added in updates #5232, #5741 and #5943, rely on input validation that can still be bypassed and do not remove the core risk.
  • The flaw carries a 9.9 CVSS score and could expose API keys, databases, cloud resources and SaaS apps reachable through Flowise; Flowise Cloud is not affected because stdio MCP is disabled there.
  • Obsidian said the only complete mitigation is disabling MCP stdio by setting CUSTOM_MCP_PROTOCOL=sse; otherwise, users should pin trusted packages and scrutinize imported chatflows.
How can importing a chatbot file give hackers complete control of your company's internal data and cloud?
When a protocol's 'intended feature' is a critical flaw, who is liable for the resulting cyberattacks?

Related Stories

InfoWorldJun 1
thecybersignal.comMay 31
cipherssecurity.comMay 31