1-Click RCE in Flowise (CVE-2026-40933)

A critical 1-Click Remote Code Execution vulnerability (CVE-2026-40933) was discovered in Flowise, a low-code MCP tool. The flaw leverages the stdio MCP transport to achieve unauthenticated RCE, allowing attackers to execute arbitrary commands on the server. Obsidian Security details how this seemingly benign feature becomes a serious security risk in misconfigured environments.