LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-40933

CVE-2026-40933 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 21, 2026

Flowise - Command Injection

Published: April 21, 2026Updated: April 21, 2026Remote Exploitable

Overview

Flowise < 3.1.0 contains a command injection caused by unsafe serialization of stdio commands in the MCP adapter, letting authenticated attackers execute arbitrary OS commands via the Custom MCP configuration.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary OS commands, potentially leading to full system compromise.

Mitigation

Update to version 3.1.0 or later.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
Apr 22, 2026

šŸšØ CRITICAL: CVE-2026-40933 in FlowiseAI Flowise (< 3.1.0) allows authenticated OS command injection via unsafe MCP adapter serialization. Upgrade to 3.1.0+ to fully mitigate. CVSS 10 ā€” patch now! https://radar.offseq.com/threat/cve-2026-40933-cwe-78-improper-neutralization-of-s-3bdaeff3 #OffSeq #Vulnerability #FlowiseAI #Cybersecurity

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40933 - Critical (9.9) Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary comm... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40933/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 22, 2026

šŸšØ CRITICAL: CVE-2026-40933 in FlowiseAI Flowise (< 3.1.0) allows authenticated OS command injection via unsafe MCP adapter serialization. Upgrade to 3.1.0+ to fully mitigate. CVSS 10 ā€” patch now! https://radar.offseq.com/threat/cve-2026-40933-cwe-78-improper-neutralization-of-s-3bdaeff3 #OffSeq #Vulnerability #FlowiseAI #Cybersecurity

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40933 - Critical (9.9) Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary comm... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40933/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-40933
Severity
Critical
CVSS Score
9.9
Type
command_injection
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days