A critical vulnerability in Flowise and multiple AI frameworks has been discovered by OX Security, exposing millions of users to remote code execution (RCE).<\/p>\n
The flaw stems from the Model Context Protocol (MCP)<\/a>, a widely used communication standard for AI agents developed by Anthropic.<\/p>\n Unlike a typical software bug, this vulnerability stems from an architectural design decision embedded in Anthropic\u2019s official MCP SDKs<\/a> across Python, TypeScript, Java, and Rust.<\/p>\n Any developer building on the MCP foundation unknowingly inherits this exposure, meaning the attack surface is not limited to a single platform but ripples across the entire AI supply chain<\/a>.<\/p>\n The flaw enables attackers to execute arbitrary commands on vulnerable systems, granting direct access to sensitive user data, internal databases, API keys, and chat histories.<\/a><\/p>\n OX Security successfully executed live commands on six production platforms during their research. Flowise, a popular open-source AI workflow builder, is among the most significantly affected platforms.<\/p>\n Researchers identified a \u201chardening bypass<\/a>\u201d attack vector against Flowise, demonstrating that even environments configured with additional protections remain exploitable through MCP adapter interfaces.<\/p>\n The broader blast radius is alarming: over\u00a0150 million downloads, more than\u00a07,000 publicly accessible servers, and an estimated\u00a0200,000 vulnerable instances\u00a0across the ecosystem.<\/p>\n At least ten CVEs have been issued so far, covering critical vulnerabilities in platforms including LiteLLM, LangChain<\/a>, GPT Researcher, Windsurf, DocsGPT, and IBM\u2019s LangFlow.<\/p>\n Four distinct exploitation families were confirmed:<\/p>\n OX Security repeatedly recommended root-level patches<\/a> to Anthropic that would have protected millions of downstream users.<\/p>\n Anthropic declined, characterizing the behavior as \u201cexpected.\u201d The company did not object when notified of the researchers\u2019 intent to publish their findings.<\/p>\n Security teams should take immediate action:<\/p>\n OX Security has shipped platform-level protections for its customers, flagging STDIO MCP configurations that include user input as actionable remediation findings.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nArchitectural Flaw at the Core of MCP<\/strong><\/h2>\n
![\"MCP](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2whbHICIhvq0BKzC0PSLgbr23fDUcjDCl_d_vbCYGhBKlsNXQ70DALNyV2t8eToFcKCe5yOqgotDFeEBVodthicuGHHnn7haYb8yhda-y6OJ36u7BKKsy8LsiZzxffY49cDolZkgml2jd0_YGGCxXfstqnEvERDcmRSVlr9e7SvHVj2JTxa1HeOv3T_U\/s1600\/Screenshot%25202026-04-17%2520153750%2520%25281%2529.webp?ssl=1\")
\n
Anthropic Declines Protocol-Level Fix<\/strong><\/h2>\n
\n