An unauthenticated remote code execution vulnerability in the Flowise Custom MCP feature allows attackers to gain full control over the platform container or underlying host server.

The Custom MCP feature lacks proper sandboxing and executes OS commands based on user-supplied input. Due to the lack of enforced authentication in default installations, an unauthenticated attacker can send crafted JSON payloads to execute arbitrary commands.

The CVSS score of 9.8 highlights the critical severity of this flaw. Because the vulnerability allows for arbitrary command execution at the OS level, an attacker can fully compromise the application container or the host server, leading to lateral movement, data breaches, and total loss of confidentiality, integrity, and availability.

Immediate Action: Upgrade to Flowise version 3.0.6 or higher and ensure that authentication (FLOWISE_USERNAME and FLOWISE_PASSWORD) is correctly configured.

Proactive Monitoring: Monitor system logs for unauthorized processes spawned by the Flowise application and review requests to the /api/v1/node-load-method/customMCP endpoint.

Compensating Controls: Ensure the application is running with the principle of least privilege, ideally within an isolated container with restricted system access to minimize the impact of command execution.

Public Exploit Available: Unknown

This vulnerability is exceptionally dangerous due to its ease of exploitation and the level of access granted to attackers. It is imperative to update the software and enforce strong administrative authentication immediately to prevent unauthorized command execution on the host system.