An authenticated OS command injection vulnerability in Flowise allows users with standard accounts to execute arbitrary commands on the host server, posing a critical security risk.

The vulnerability exists in the Custom MCP Server feature, where insufficient blocklist validation and regex bypasses allow an authenticated attacker to execute arbitrary OS commands. This requires the attacker to have at least a standard Flowise account or API access with specific chatflow permissions.

With a CVSS score of 9.9, this vulnerability represents an extreme risk. An attacker gaining command execution on the host server could result in full system compromise, exfiltration of sensitive configuration data, and lateral movement within the network.

Immediate Action: Upgrade Flowise to version 3.1.2 or later to apply the necessary patches for command-flag validation and file access restrictions.

Proactive Monitoring: Review audit logs for suspicious activity involving the Custom MCP Server feature, specifically looking for unexpected command-line arguments or local file access attempts.

Compensating Controls: Restrict access to the Flowise administrative interface and API to trusted personnel only, and employ a Web Application Firewall (WAF) to inspect incoming traffic for command injection patterns.

Public Exploit Available: No

Given the critical nature of this vulnerability, immediate remediation is mandatory. System administrators should prioritize updating the Flowise platform and auditing existing account permissions to ensure that only authorized users can interact with sensitive features like the Custom MCP Server.