External risk intelligence

Flowise Custom MCP Unsandboxed Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-71336

Flowise is a web-based platform for building LLM applications that typically exposes an API endpoint for interaction. Because the default installation often runs without authentication, the vulnerable management and API surface is frequently exposed directly to the internet in common deployments.

OS Command Injection

Flowiseai Flowise

before 3.0.6

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Flowise, a platform for building LLM applications, allowing attackers to execute arbitrary operating system commands. This could lead to a complete compromise of the affected container or server due to the platform's minimal authentication and authorization controls, especially in default installations that run without passwords.

  • Unauthenticated command execution on Flowise.
  • Enables full platform compromise.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can execute arbitrary operating system commands by sending a specially crafted JSON payload to a specific API endpoint. This is possible because the vulnerable feature is not properly sandboxed and the platform's default authentication is minimal, often running without any credentials unless explicitly configured. Successful exploitation allows an attacker to gain complete control over the container or server hosting the platform.

  • No authentication required for access.
  • Triggered by sending a crafted JSON payload.
  • Results in full platform compromise.

Live Threat

Current exploitation, exposure, and threat context

An unsandboxed remote code execution vulnerability in the Custom MCP feature of Flowise could allow an unauthenticated attacker to execute arbitrary operating system commands. This could occur when the platform is installed without authentication, enabling an attacker to send a crafted payload to a specific API endpoint. Successful exploitation could lead to a complete compromise of the platform container or server.

  • System commands on the container/server.
  • Unauthenticated API access to execute commands.
  • Complete compromise of the platform container.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Flowise platform, particularly earlier versions, has a critical vulnerability that allows for unauthenticated remote code execution. This risk primarily falls to the platform or application owners responsible for managing Flowise instances. The initial priority is to determine the scope of deployments, identify critical or exposed instances, and locate the accountable owner to begin remediation planning.

  • Platform/application owners should own the issue.
  • Verify if Flowise is externally accessible.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Flowise?

Flowise is a low-code platform designed for building applications powered by Large Language Models (LLMs). It provides a drag-and-drop interface for developers to create conversational workflows and complex chains. The software often acts as a central hub for LLM integrations, necessitating connectivity to both internal data sources and external services to function as intended.

What does CVE-2025-71336 mean for my system?

This vulnerability is an unsandboxed Remote Code Execution (RCE) flaw, categorized as CWE-78 (OS Command Injection). Because the Custom MCP feature fails to properly validate input before executing OS-level commands, an attacker can trick the server into running unauthorized instructions. This bypasses typical application boundaries, effectively giving an attacker the same permissions as the software itself on the underlying host or container.

How is this vulnerability triggered?

An attacker triggers the bug by sending a specifically crafted JSON request to the /api/v1/node-load-method/customMCP endpoint. Because the platform's default configuration often operates without requiring a username or password, no authentication is needed to reach this endpoint. Legitimate, non-malicious interactions with the Custom MCP feature, such as standard usage that does not include the crafted payload, do not trigger this command execution flaw.

Is my instance at risk?

According to Halo Surface Signal, your risk level is likely higher if your Flowise deployment is exposed to the internet. Since the platform frequently runs without default authentication, any instance reachable via a public network can be targeted by an unauthenticated remote user. If your instance is restricted to an internal network with access controls, the immediate risk is lower, though the internal flaw remains.

What should I do to secure my Flowise deployment?

First, identify all active instances of Flowise within your environment and determine which are internet-facing. If you are running a version earlier than 3.0.6, you must plan an update to a patched version immediately. As an urgent interim measure, ensure that authentication is strictly enforced by configuring the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables to prevent unauthenticated access to the API.

References