Flowise’s MCP implementation can run ghost commands
Enterprises using the lightweight, open-source Flowise platform to power self-hosted AI workloads now have a new near-max-severity issue to worry about. Researchers at Obsidian Security have detailed a one-click remote code execution (RCE) vulnerability affecting self-hosted Flowise deployments through its implementation of Model Context Protocol (MCP) stdio servers. The problem is essentially a sandboxing failure of attacker-controlled MCP configurations, leading to server-side code execution. “Post-auth RCE in Flowise can be triggered with a single click via a malicious chatflow import before any save or run,” the researchers said in a blog post. “The official patch relies on input validation that is trivially bypassed and fails to address the root cause.” Flowise is commonly used to develop internal AI assistants, retrieval-augmented generation (RAG) applications, customer-facing chatbots, and autonomous agents connected to business systems. The flaw does not affect Flowise Cloud, a