Flowise RCE CVE-2026-40933 Has Public Exploit Code — One-Click Chatflow Import Owns Servers

Public exploit code is the urgency signal here, not the CVSS score. A 10.0 vulnerability with no PoC is a patch-on-the-next-window problem; a 10.0 vulnerability with a working chatflow-import exploit on the public internet is a patch-this-shift problem, and Flowise just crossed that line.

SAN FRANCISCO, CALIFORNIA — On May 30, 2026, SecurityWeek reported that researchers at Obsidian Security have published proof-of-concept exploit code for CVE-2026-40933, a critical remote code execution vulnerability in Flowise — the open-source drag-and-drop builder that organizations self-host to construct and run LLM agent, retrieval-augmented-generation, and chatbot pipelines. The flaw carries the maximum CVSS v3.1 score of 10.0, affects all Flowise versions up to and including 3.0.13, and is fixed in version 3.1.0. The exploit chain is short: an attacker crafts a chatflow JSON that contains a malicious Custom MCP — a Model Context Protocol server configuration that abuses the way Flowise's MCP stdio adapter serializes command arguments — and convinces a user to import it through the Flowise UI. When the import completes, the attacker's command runs on the Flowise server with the privileges of the Flowise process, which in typical container deployments is root.

The vulnerability was disclosed responsibly by researcher MosesOX of Obsidian Security and published to the GitHub Advisory Database on April 16, 2026, six weeks before the public PoC release. The May 30 publication is the first time working exploit code has been on the public internet, and it lands while Flowise instances remain widely exposed — earlier coverage by The Hacker News and VulnCheck identified more than 12,000 internet-facing Flowise instances during a separate exploitation campaign against a different Flowise RCE earlier this year.

What Happened

The root cause of CVE-2026-40933 sits in a narrow corner of Flowise that few defenders are watching: the Custom MCP node. Flowise lets a user add an external Model Context Protocol server to a chatflow, and when that server runs over stdio rather than HTTP, the configuration carries a command and an args array that Flowise serializes and executes locally. The product applies input sanitization — a validateCommandInjection check, a validateArgsForLocalFileAccess check, and an allowlist of safe binaries such as npx. The flaw is that the allowlist alone is not a defense: npx can be invoked with arguments that execute arbitrary code. The proof-of-concept in the GitHub Security Advisory is precisely that — a Custom MCP configuration with command 'npx' and args ['-c', 'touch /tmp/pwn'] — and it walks straight through every sanitizer Flowise has.

Because the vulnerable surface is the chatflow-import path, the exploit does not require an attacker to reach Flowise directly. It only requires a user with chatflow-import privileges to be convinced to import a chatflow JSON. That is a social-engineering primitive that maps cleanly onto how Flowise communities actually work today — chatflows are shared as JSON files in tutorials, on Discord servers, and in GitHub gists, and importing one is a single click in the UI. The Obsidian Security writeup, and the Ox Security supply-chain advisory it links to, frame this as a systemic problem in MCP-adapter implementations rather than a Flowise-specific bug; CVE-2026-40933 is the first time the class has produced a CVSS 10.0 result against a popular platform.

The Chatflow-Import-to-RCE Chain in Plain English

The attack chain is short enough to describe in five steps. First, the attacker writes a chatflow JSON that includes a Custom MCP configuration with stdio transport. Second, inside that configuration, the attacker sets command to an allowlisted binary — npx is the published example — and sets args to an array whose elements invoke shell behavior the binary itself supports. Third, the attacker delivers that JSON to a Flowise user, framed as a useful agent template, a community example, or a customer-supplied workflow. Fourth, the user imports the chatflow through the Flowise UI; Flowise validates the configuration with its existing checks, finds nothing actionable, and serializes the command. Fifth, when the chatflow runs, the Flowise process executes the attacker's command at OS level. Endor Labs and the GitHub advisory both describe the post-exploitation result the same way: every credential stored in the Flowise platform is readable, every connected service is reachable, and in container deployments the Flowise process commonly runs as root.

Self-Hosted LLM Infrastructure Is the Newest Tier-1 Attack Surface

Flowise is the fourth self-hosted developer or workflow platform to appear in The CyberSignal's coverage in the last two weeks with a critical, externally weaponizable bug. It follows the unpatched Gogs argument-injection RCE that Rapid7 disclosed at CVSSv4 9.4, Gitea's CVE-2026-27771 unauthenticated private-container-image pull, and the Ghost CMS CVE-2026-26980 SQL injection that ClickFix used to compromise more than 700 sites. Read together, the cluster is the story: self-hosted productivity infrastructure — source control, container registries, content management, and now LLM workflow builders — is now a Tier-1 patching surface regardless of category. Flowise extends that pattern into the AI-velocity corner, where teams have adopted new platforms faster than their security baselines have caught up.

Why the LLM-Workflow-Builder Category Is Especially Exposed

Flowise, LangChain, LangGraph, n8n, Dify, and AutoGen sit at an awkward intersection. They are powerful enough to be deployed with broad outbound network access, broad credential access, and broad filesystem access — because the whole point of an LLM workflow builder is to wire LLMs into databases, vector stores, APIs, and downstream tools. They are also new enough that most organizations have not extended the web-application security baselines they apply to Jira, Confluence, or Jenkins to cover them. The result is a category of platforms that often runs with root in a container, holds production API keys for OpenAI or Anthropic, has read access to internal vector databases, and is reachable from the public internet because someone wanted to demo a chatbot. CVE-2026-40933 is the first widely-weaponized RCE that lines up with all of those conditions at once, but it will not be the last.

Scope and Impact

The blast radius of a successful CVE-2026-40933 exploit scales with whatever the Flowise instance is wired into. Flowise instances commonly hold LLM-provider API keys, vector-database credentials, and downstream tool tokens — and they are wired into production data sources by design. An attacker who reaches the Flowise process inherits all of that. In containerized deployments, the Flowise process typically runs as root inside the container, which means the attacker also gets full filesystem access, environment-variable access, and the ability to pivot through the container's network namespace. The earlier The Hacker News coverage of a separate Flowise RCE identified more than 12,000 internet-facing Flowise instances; that population is the realistic upper bound on opportunistic exposure for this campaign as well, though the chatflow-import precondition narrows actual exploitation to instances where a user can be socially engineered into importing a JSON file.

What is unambiguous is that the public PoC closes the window between disclosure and exploitation. The advisory was published on April 16, 2026; for six weeks the technical detail was specific enough for sophisticated attackers to reproduce but not packaged for opportunistic use. The May 30 Obsidian Security writeup changes that — it ships a working exploit, an attacker template, and an explanation of why the existing sanitizers do not stop it. That sequence — CVSS 10.0, six weeks of latency, then a public PoC — is the same pattern that drove the Verizon DBIR 2026 conclusion that vulnerability exploitation has overtaken credential theft as the number-one initial-access vector, and it is the pattern defenders should expect to see repeat across the LLM-workflow-builder category as more researchers turn their attention to it.

It is worth noting what CVE-2026-40933 is not. It is not the same as CVE-2025-59528, the CustomMCP code injection that VulnCheck saw being exploited from a single Starlink IP address in April 2026 — that flaw was patched in Flowise 3.0.6 and is a separate bug in the same general area. It is also distinct from the broader cluster of AI-assistant abuse stories The CyberSignal has tracked — the SymJack fake-Claude-installers cryptojacking campaign and the Trapdoor supply-chain packages that poisoned AI assistants through npm, PyPI, and crates.io — though all three sit inside the same broader trend of attackers targeting the AI-tooling stack. For CVE-2026-40933, the relevant fact is narrow: a chatflow JSON is now an arbitrary-code-execution file format, and it should be handled accordingly.

Response and Attribution

For any organization running self-hosted Flowise, the immediate action is to upgrade to version 3.1.0. The fix is available in both the flowise and flowise-components npm packages and is the only complete remediation. If an upgrade cannot be performed inside the next maintenance window, the interim controls are to restrict chatflow imports to instance administrators only, to pull any internet-exposed Flowise instance behind a VPN or authentication boundary, and to brief every user with Flowise UI access that they should not import any chatflow file from any external source — community templates, customer-supplied workflows, GitHub gists, or Discord shares — until the patch is in place. Any instance that may have been compromised between the April 16 advisory and the upgrade should be treated as fully owned: rotate every LLM-provider API key, vector-database credential, and downstream tool token stored on it; audit cloud audit logs for credential reuse; and pivot through container-host telemetry for the Flowise process to look for unexpected child processes spawned from chatflow-import endpoints.

For LLM-platform and ML-platform teams, the structural action is an inventory. Every self-hosted LLM workflow or agent platform in the environment — Flowise, LangChain server, LangGraph deployments, n8n, Dify, AutoGen, and the assorted internal forks of each — needs to be enumerated, each instance confirmed to be behind a VPN or authentication boundary, and each one patched against the latest disclosed vulnerabilities for its codebase. Treat chatflow, agent-flow, and workflow JSON imports the same way a mature security program treats Office macros, Excel add-ins, or arbitrary binary uploads: assume the file format is arbitrary-code-execution capable until proven otherwise. For SOC and threat-hunting teams, the highest-yield post-compromise indicator is outbound traffic from Flowise hosts to unfamiliar destinations — credential exfiltration is the most valuable post-RCE objective on these platforms — and the second is unexpected child processes spawned by the Flowise Node.js process during a chatflow-import event.

For CISOs, the editorial takeaway is the cluster, not the single CVE. The self-hosted-LLM-infrastructure-as-shadow-IT problem has been building for eighteen months, and CVE-2026-40933 is the first widely-weaponized RCE that demonstrates the predicted security debt is now coming due. Read alongside Gogs, Gitea, and the Ghost CMS ClickFix campaign, the pattern is unambiguous: self-hosted productivity and AI infrastructure has moved from peripheral risk to Tier-1 patching surface in under a year, and the security baselines that govern Jira and Confluence should now extend to every LLM workflow builder, agent framework, and self-hosted developer tool the organization runs.

The CyberSignal Analysis

Signal 01 — Public Exploit Code Is the Urgency Bit, Not the CVSS

A CVSS 10.0 score has been on this advisory for six weeks, and most defenders did not move on it during that window. The pattern is consistent across the industry: high CVSS by itself is treated as a backlog item; high CVSS plus a public, working, reproducible PoC is treated as a shift-level action. The Obsidian Security writeup is the urgency event for CVE-2026-40933, not the original advisory, and security programs that key on PoC publication rather than on CVSS alone are about to do the right thing. The harder question for defenders is whether their patch-prioritization workflow can incorporate the PoC-published signal as a first-class input rather than relying on CVSS, CISA KEV inclusion, or a vendor advisory bulletin — because PoC publication is increasingly the variable that decides which CVSS-critical bugs actually get exploited at scale.

Signal 02 — A Chatflow JSON Is Now an Executable File Format

The structural lesson from CVE-2026-40933 is that the chatflow JSON has joined a small but growing set of seemingly-passive data formats that are, in practice, arbitrary-code-execution carriers — alongside Office macros, Excel formulas with DDE, Jenkinsfile Groovy DSL, GitHub Actions workflow YAML, and now LLM-workflow JSON. The defensive implication is narrow and concrete: every team running an LLM workflow builder needs to add chatflow JSON, agent-flow JSON, and equivalent workflow-definition formats to the list of file types that get scanned, sandboxed, and reviewed before import. The bigger implication is editorial: as more of the developer toolchain becomes declarative-YAML-and-JSON-glue around LLMs and agents, the universe of executable file formats will keep growing, and the security model has to grow with it.

Signal 03 — Self-Hosted AI Tooling Is Now Tier-1 Patching Surface

Flowise is the clearest demonstration so far that the LLM-workflow-builder category has moved from emerging-tooling status to critical-infrastructure status — at least from an attacker's point of view. The combination of broad credential access, broad network reach, root-in-container default deployments, and an internet-exposed admin UI is exactly the profile that defined Jenkins, Confluence, and Gitea before each became routine ransomware entry points. The same playbook is now available against Flowise, against LangChain server, against n8n, and against the rest of the category. Security organizations that treat self-hosted AI infrastructure as research-only or experimental are working from a threat model that closed when the public PoC for CVE-2026-40933 went live. The pivot point has arrived; the patch baseline has to catch up.

Sources