Security Advisory - Published 2026-06-24 - Flowise
Flowise Custom MCP Server: check who can edit tools and chatflows
CVE-2026-56274 affects Flowise before 3.1.2. The risk sits in the Custom MCP Server feature, so the first useful check is not a public probe. Confirm the running version, who can edit chatflows, and whether Custom MCP Server entries changed before the patch.
Affected version
| CVE | Product | Affected / fixed | CVSS |
|---|---|---|---|
| CVE-2026-56274 | Flowise | <= 3.1.1 / 3.1.2 | 9.9 |
Owner self-check
docker ps | grep -i flowise
docker compose ps | grep -i flowise
grep -Rni 'flowise\\|flowise-components' package.json package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
grep -Rni 'Custom MCP\\|mcp\\|chatflow\\|tool' . 2>/dev/null | head -120
docker logs --since 7d $(docker ps -q --filter name=flowise) 2>/dev/null | egrep -i 'mcp|tool|chatflow|error|exec|spawn|permission'What to review
- Flowise and flowise-components version in the running container, not just the repository lock file.
- Accounts or API keys with view or update access to chatflows.
- Custom MCP Server records, changed tool definitions, changed chatflows, and new outbound destinations.
- Container logs around chatflow edits, MCP tool execution, unexpected process starts, and permission errors.
Safe fix path
- Upgrade Flowise and flowise-components to 3.1.2 or newer.
- Put Flowise behind VPN, Cloudflare Access, or an IP allowlist while reviewing accounts.
- Rotate Flowise credentials, API keys, and integration secrets if unknown users had edit access.
- Export and diff chatflows before deleting logs; changed tools may be the only useful evidence.
Repair help
Use Ping7 CVE Repair when Flowise was internet-facing, Custom MCP Server was enabled, or logs show unknown chatflow edits before the 3.1.2 upgrade.