2 matches found
CVE-2025-8943
Flowise CVE-2025-8943 affects Flowise versions before 3.0.1. The vulnerability resides in the Custom MCPs feature, specifically the /api/v1/node-load-method/customMCP endpoint, where insufficient authentication/authorization allows unauthenticated network attackers to execute OS commands unsandbo...
CVE-2025-8943 Unsupervised OS command execution leads to remote code execution by unauthenticated network attackers
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...