CVE-2026-56274: Flowise AI Multiple OS Command Injection Vulnerabilities in Custom MCP Server (CVSS 9.9)

nick

CVE-2026-56274: Flowise AI Multiple OS Command Injection Vulnerabilities in Custom MCP Server (CVSS 9.9)

by

CVE: CVE-2026-56274 | CVSS 3.1: 9.9 (CRITICAL) | CWE: CWE-78 | Vendor: FlowiseAI | Product: Flowise | Affected versions: < 3.1.2

What Is the Vulnerability

Flowise is an open-source low-code platform for building LLM application flows and AI agents. The Custom MCP Server feature contains multiple OS command injection vulnerabilities due to incomplete command-flag validation and a regex bypass in local file access restrictions.

Any Flowise user, regardless of role, can exploit this vulnerability. Additionally, anyone with API view or update permissions can trigger the command injection. An attacker can inject arbitrary operating system commands through crafted MCP server configurations, leading to full remote code execution on the underlying host.

This marks the fourth AI framework and tool vulnerability disclosed in this period, following critical issues in Mastra (supply chain), LiteLLM, and AutoGen Studio. The concentration of vulnerabilities across the AI/LLM tooling ecosystem underscores the immaturity of security practices in this rapidly expanding domain.

Versions Affected

  • Flowise versions prior to 3.1.2

Exploited?

There is NO known active exploitation of CVE-2026-56274 in the wild at this time. However, given the critical severity (CVSS 9.9), the low complexity of exploitation, and the widespread deployment of Flowise in AI/LLM environments, the likelihood of near-term exploitation is high. Organizations should prioritize patching immediately.

Fix

Upgrade to Flowise version 3.1.2 or later, which includes comprehensive input sanitization, proper command-flag validation, and a hardened regex for local file access restrictions. The patch addresses all identified OS command injection vectors in the Custom MCP Server feature.

Recommendations

  • Upgrade Flowise to version 3.1.2+ immediately on all instances.
  • Audit MCP server configurations for any signs of tampering or injected commands.
  • Restrict API access to trusted users and networks; apply principle of least privilege.
  • Monitor Flowise host systems for unexpected process execution or outbound connections.
  • Consider network segmentation for Flowise instances in production environments.

References

Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 24, 2026 Vulnerability Intelligence Report for broader context.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!