PatchSiren cyber security CVE debrief
CVE-2025-71336 Flowise CVE debrief
CVE-2025-71336 is a critical unsandboxed remote code execution vulnerability in Flowise, a platform that allows users to create and manage custom machine learning models. The vulnerability exists in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Due to Flowise's minimal authentication and authorization model, which lacks role-based access control, an attacker can send a crafted JSON payload to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands. This can result in complete compromise of the platform container or server. The vulnerability has a CVSS score of 9.3 and is considered critical. Flowise versions 2.2.7-patch.1 and earlier are affected, and users should upgrade to version 3.0.6 or later to mitigate the vulnerability.
- Vendor
- Flowise
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-07-01
Who should care
Organizations using Flowise versions 2.2.7-patch.1 and earlier should prioritize patching to prevent potential exploitation. Additionally, security teams and administrators responsible for managing and securing machine learning platforms and containers should be aware of this vulnerability and take necessary precautions to protect their environments. Users who have not set FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables, thus running Flowise without authentication, are particularly at risk.
Technical summary
The vulnerability in Flowise arises from the Custom MCP feature, which allows the execution of OS commands. Without proper sandboxing and with a minimal authentication model, an attacker can exploit this feature by sending a crafted JSON payload with the 'x-request-from: internal' header to the /api/v1/node-load-method/customMCP endpoint. This enables the execution of arbitrary OS commands, potentially leading to a complete compromise of the platform. The issue affects Flowise versions 2.2.7-patch.1 and earlier, with version 3.0.6 being the patched version. The CVSS:4.0 vector for this vulnerability is AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
This vulnerability has a high defensive priority due to its critical severity and potential for exploitation. Immediate action is recommended to patch affected systems and enhance security measures.
Recommended defensive actions
- Upgrade Flowise to version 3.0.6 or later.
- Implement role-based access control and authentication for Flowise.
- Restrict access to the /api/v1/node-load-method/customMCP endpoint.
- Monitor Flowise instances for suspicious activity.
- Set FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables to enable authentication.
Evidence notes
The CVE-2025-71336 vulnerability details were obtained from the NVD and CVE.org. The vulnerability affects Flowise versions 2.2.7-patch.1 and earlier. The CVSS score is 9.3, indicating critical severity. Limited information is available on potential exploits or attacks; however, the vulnerability's nature suggests a high risk of exploitation.
Official resources
-
CVE-2025-71336 CVE record
CVE.org
-
CVE-2025-71336 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.