Cyber Posture

CVE-2026-40933

CriticalPublic PoCRCE

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0005 14.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40933 is a critical-severity OS Command Injection (CWE-78) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection in the Custom MCP configuration by validating and sanitizing stdio command inputs to block arbitrary execution like 'npx -c touch /tmp/pwn'.

SI-2 Flaw Remediation good match
prevent

Mitigates the specific MCP adapter serialization flaw by requiring timely patching to Flowise version 3.1.0 or later.

SI-9 Information Input Restrictions good match
prevent

Enforces strict restrictions on command inputs to the MCP stdio server, such as whitelisting only predefined safe commands and blocking bypasses of existing sanitization checks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection in web app enables T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with…

more

an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.

Deeper analysisAI

CVE-2026-40933 is an OS command injection vulnerability (CWE-78) affecting Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The issue resides in the MCP adapter's unsafe serialization of stdio commands, specifically within the "Custom MCP" configuration accessible at http://localhost:3000/canvas in versions prior to 3.1.0. Despite input sanitization checks such as validateCommandInjection, validateArgsForLocalFileAccess, and a list of predefined safe commands, attackers can bypass these by combining commands like "npx" with execution arguments, such as "npx -c touch /tmp/pwn".

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By adding a new MCP stdio server, they inject arbitrary commands, achieving remote code execution (RCE) on the underlying operating system. The vulnerability's CVSS v3.1 base score of 9.9 reflects its critical severity, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) and a changed scope (S:C).

The Flowise security advisory (GHSA-c9gw-hvqq-f33r) confirms the vulnerability is fixed in version 3.1.0. Additional context from OX Security advisories highlights this as part of broader MCP supply-chain risks across the AI ecosystem, including systemic vulnerabilities in MCP implementations.

This issue is particularly relevant to AI/ML deployments, as Flowise enables LLM workflow orchestration, potentially exposing production AI systems to supply-chain compromise. No public evidence of real-world exploitation is noted in the provided references.

Details

CWE(s)
CWE-78

Affected Products

flowiseai
flowise
≤ 3.1.0

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: large language model, mcp, mcp, mcp, mcp, mcp

CVEs Like This One

CVE-2026-41268Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2025-59528Same product: Flowiseai Flowise
CVE-2025-58434Same product: Flowiseai Flowise
CVE-2025-50538Same product: Flowiseai Flowise
CVE-2025-61913Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise

References