Описание
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Ссылки
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.0.1 (исключая)
cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
EPSS
Процентиль: 99%
0.75347
Высокий
9.8 Critical
CVSS3
Дефекты
CWE-306
Связанные уязвимости
EPSS
Процентиль: 99%
0.75347
Высокий
9.8 Critical
CVSS3
Дефекты
CWE-306