Flowise Critical RCE Vulnerability CVE-2024-5264 in MCP Adapters
Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2024-5264, has been discovered in Flowise and other AI frameworks. The flaw originates from an architectural design decision...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, CVE-2024-5264, has been discovered in Flowise and other AI frameworks.
- The flaw originates from an architectural design decision within Anthropic’s Model Context Protocol (MCP) SDKs, affecting Python, TypeScript, Java, and Rust.
- Millions of users across the AI supply chain are at risk, with an estimated 200,000 vulnerable instances and over 7,000 publicly accessible servers.
- Patches are available for several affected platforms, but Anthropic has declined to implement a protocol-level fix for MCP itself.
Cybersecurity researchers at OX Security have uncovered a critical vulnerability, tracked as CVE-2024-5264, impacting Flowise and numerous other artificial intelligence (AI) frameworks. This flaw presents a significant risk of remote code execution (RCE), potentially exposing millions of users to malicious activity.
Table Of Content
The root cause of this vulnerability lies within the Model Context Protocol (MCP), a communication standard developed by Anthropic for AI agents and widely adopted across the industry. Unlike typical software bugs, this issue stems from an inherent architectural design choice within Anthropic’s official MCP SDKs, which are available in Python, TypeScript, Java, and Rust.
Developers who build applications on the MCP foundation unknowingly inherit this security exposure. This means the attack surface extends beyond individual platforms, creating a systemic risk across the broader AI supply chain.
Architectural Flaw at the Core of MCP
The identified vulnerability allows attackers to execute arbitrary commands on compromised systems. This grants them direct access to sensitive data, including user information, internal databases, API keys, and chat histories.
During their research, OX Security successfully demonstrated live command execution on six production platforms. Flowise, a popular open-source tool for building AI workflows, was among the platforms most severely affected.
The researchers also identified a “hardening bypass” attack vector specifically against Flowise. This demonstrated that even environments configured with additional security protections remained vulnerable through their MCP adapter interfaces.
The potential impact of this vulnerability is substantial, with an alarming blast radius. Estimates suggest over 150 million downloads, more than 7,000 publicly accessible servers, and approximately 200,000 vulnerable instances across the AI ecosystem are at risk.
To date, at least ten CVEs have been issued, covering critical vulnerabilities in platforms such as LiteLLM, LangChain, GPT Researcher, Windsurf, DocsGPT, and IBM’s LangFlow.
OX Security confirmed four distinct exploitation methodologies:
- Unauthenticated UI injection in widely used AI frameworks.
- Hardening bypasses in “protected” environments, including Flowise.
- Zero-click prompt injection attacks targeting AI IDEs like Windsurf and Cursor.
- Malicious MCP server distribution, with researchers successfully poisoning 9 out of 11 MCP registries during testing.
Anthropic Declines Protocol-Level Fix
OX Security repeatedly recommended fundamental patches to Anthropic that would have protected millions of downstream users by addressing the vulnerability at the protocol level.
However, Anthropic declined to implement these changes, characterizing the observed behavior as “expected.” The company did not object when informed of the researchers’ intention to publicly disclose their findings.
OX Security has already deployed platform-level protections for its own customers, identifying STDIO MCP configurations that incorporate user input as actionable remediation findings.
What You Should Do
- Block public internet exposure for AI services that are connected to sensitive APIs or databases.
- Treat all external MCP configuration input as untrusted and ensure user input cannot reach
StdioServerParameters. - Only install MCP servers from verified sources, such as the official GitHub MCP Registry.
- Run MCP-enabled services within sandboxed environments configured with minimal necessary permissions.
- Actively monitor AI agent tool invocations for any unexpected outbound network activity.
- Immediately update all affected services and platforms to their latest patched versions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.