CVE-2026-58057EXPLOITEDPATCHED

flowi · flowise

Flowise - Custom MCP Environment Variable Denylist Bypass via Case Sensitivity

Description

A vulnerability labeled as problematic has been found in Flowise up to 3.1.2 on Windows. This issue affects some unknown processing of the component Environment Variable Handler. Such manipulation leads to improper handling of case sensitivity. This vulnerability is referenced as CVE-2026-58057. It is possible to launch the attack remotely.

Affected Products

Vendor	Product	Versions
flowi	flowise	0, 3.1.2

References

https://github.com/bikini/exploitarium/tree/main/flowise-mcp-env-case-bypass-poc(exploit, third-party-advisory)
https://github.com/FlowiseAI/Flowise/pull/6471(issue-tracking)
https://www.vulncheck.com/advisories/flowise-custom-mcp-environment-variable-denylist-bypass-via-case-sensitivity(third-party-advisory)

Related News (1 articles)

Tier C

VulDB23h ago

CVE-2026-58057 | Flowise up to 3.1.2 on Windows Environment Variable case sensitivity

→ No new info (linked only)

CVSS 3.15.0 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.1.3

CWECWE-178

PublishedJun 28, 2026

Last enriched23h agov2

Trending Score41

Source articles1

Independent1

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2025-71327EXP

Flowise - Authentication Bypass via Unprotected Registration Endpoint

Trending: 47

NONECVE-2025-71334EXP

Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

Trending: 47

NONECVE-2025-71338EXP

Flowise - Arbitrary File Write to Remote Code Execution via document-store API

Trending: 47

CRITICALCVE-2025-71336EXP

Flowise - Unsandboxed Remote Code Execution via Custom MCP

Trending: 38

NONECVE-2025-71333EXP

Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint

Trending: 38

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 28, 2026

Discovered by ZDM

Jun 28, 2026

Actively Exploited

Jun 28, 2026

Exploit Available

Jun 28, 2026

Patch Available

Jun 28, 2026

Updated: description, affectedVersions, severity, exploitAvailable, activelyExploited

Jun 28, 2026

Version History

Last enriched 23h ago

v2Tier C23h ago

Updated description with new technical details, changed vendor and product names, added affected version 3.1.2, updated severity to HIGH, and marked exploit as available and actively exploited.

descriptionaffectedVersionsseverityexploitAvailableactivelyExploited

via VulDB

v11d ago

Initial creation