CVE-2025-71336
published 2026-06-25CVE-2025-71336: Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.5th percentile
Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowise | flowise | < 3.0.6 | 3.0.6 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such
ghsa_unreviewed·2026-06-26
CVE-2025-71336 [CRITICAL] CWE-78 Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such
Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.
VulDB
Flowise up to 3.0.5 Custom MCP Feature customMCP os command injection (GHSA-6933-jpx5-q87q)
vuldb·2026-06-26·CVSS 9.8
CVE-2025-71336 [CRITICAL] Flowise up to 3.0.5 Custom MCP Feature customMCP os command injection (GHSA-6933-jpx5-q87q)
A vulnerability labeled as critical has been found in Flowise up to 3.0.5. The impacted element is an unknown function of the file /api/v1/node-load-method/customMCP of the component Custom MCP Feature. Executing a manipulation can lead to os command injection.
This vulnerability is tracked as CVE-2025-71336. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published