Flowise AI Platform Under Active Attack: Critical CVSS 10.0 RCE Vulnerability Exposes 12,000+ Instances

The vulnerability was public for six months. The patch was available. Yet 12,000+ Flowise instances remained exposed, and now threat actors are actively exploiting them at scale.

On April 7, 2026, VulnCheck confirmed what security researchers feared: CVE-2025-59528, a maximum-severity code injection vulnerability in the popular open-source AI platform Flowise, is under active exploitation. With a CVSS score of 10.0 - the highest possible rating - this flaw allows remote attackers to execute arbitrary JavaScript code on affected servers, leading to complete system compromise.

This is not a theoretical risk. This is happening right now.

The Critical Vulnerability: CVE-2025-59528 Explained

What Is Flowise?

Flowise is an open-source low-code platform that enables developers to build AI agent workflows and applications using LangChain. It provides a visual interface for creating complex AI pipelines, making it accessible to developers who may not have deep expertise in AI frameworks. The platform has gained significant traction in the enterprise AI space, with thousands of organizations using it to prototype and deploy AI solutions.

The platform's CustomMCP node allows users to configure connections to external MCP (Model Context Protocol) servers, enabling AI agents to interact with various tools and data sources. This flexibility is what makes Flowise powerful - and what created the vulnerability.

The Vulnerability: Unvalidated Code Execution

The flaw resides in how Flowise processes MCP server configurations. According to Flowise's security advisory published in September 2025:

"The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation."

What this means in practice:

An attacker with only an API token can inject malicious JavaScript into the MCP server configuration. When Flowise processes this configuration, it executes the attacker's code with full Node.js runtime privileges. This grants the attacker:

• Remote Code Execution (RCE): Run arbitrary commands on the server
• File System Access: Read, write, and delete files using the fs module
• System Compromise: Access child_process for shell command execution
• Data Exfiltration: Steal sensitive information, API keys, and credentials
• Lateral Movement: Use compromised servers to attack internal networks

Why CVSS 10.0?

The Common Vulnerability Scoring System assigns CVE-2025-59528 its maximum severity rating because:

• Attack Vector: Network - Exploitable remotely without physical access
• Attack Complexity: Low - No special conditions or user interaction required
• Privileges Required: Low - Only an API token is needed
• User Interaction: None - No victim participation required
• Scope: Changed - Can affect resources beyond the vulnerable component
• Confidentiality Impact: High - Complete data access
• Integrity Impact: High - Complete data modification possible
• Availability Impact: High - Complete system shutdown possible

Bottom line: If your Flowise instance is exposed to the internet and not patched to version 3.0.6 or later, attackers can own your system with minimal effort.

Active Exploitation Confirmed

The Starlink Connection

VulnCheck researchers identified exploitation activity originating from a single Starlink IP address. This suggests either:

1. A coordinated attacker using satellite internet for operational security
2. Multiple attackers sharing infrastructure
3. A security researcher conducting unauthorized testing

Regardless of the source, the pattern is clear: threat actors are actively scanning for vulnerable Flowise instances and exploiting them.

The Third Flowise Flaw Under Attack

CVE-2025-59528 marks the third Flowise vulnerability with confirmed in-the-wild exploitation:

1. CVE-2025-8943 (CVSS 9.8): Operating system command remote code execution
2. CVE-2025-26319 (CVSS 8.9): Arbitrary file upload vulnerability
3. CVE-2025-59528 (CVSS 10.0): Code injection leading to RCE

This pattern demonstrates that Flowise has become a high-value target for attackers. The platform's popularity in enterprise AI deployments, combined with frequent internet exposure, makes it an attractive target for opportunistic exploitation.

The 12,000+ Exposed Instances Problem

VulnCheck's Caitlin Condon highlighted the scope of the risk:

"This is a critical-severity bug in a popular AI platform used by a number of large corporations. This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability. The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we're seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit."

Why are so many instances still exposed?

• Shadow AI Deployments: Teams spun up Flowise for testing and forgot about it
• Lack of Asset Management: Organizations don't know they have Flowise running
• Patch Fatigue: Security teams overwhelmed with vulnerability backlogs
• False Sense of Security: "We're just prototyping, it's not production"
• Supply Chain Blindness: Flowise embedded in other applications

The Attack Chain: How Exploitation Works

Step 1: Discovery

Attackers scan for exposed Flowise instances using:

• Shodan queries for Flowise-specific endpoints
• Censys searches for Flowise response signatures
• Masscan sweeps of common AI platform ports
• Certificate transparency log monitoring

Step 2: API Token Acquisition

The vulnerability requires only an API token, which attackers may obtain through:

• Default or weak credentials on exposed instances
• Token leakage in public repositories (GitHub, GitLab)
• Previous compromise of related systems
• Social engineering targeting developers
• Credential stuffing attacks

Step 3: Malicious Payload Injection

With a valid token, the attacker crafts a malicious MCP server configuration:

// Simplified example of malicious configuration
{
  "mcpServerConfig": "require('child_process').exec('malicious_command')"
}

This payload exploits the lack of input validation to execute arbitrary Node.js code.

Step 4: Code Execution and System Compromise

Once the malicious configuration is processed:

1. Flowise executes the injected JavaScript
2. The attacker gains Node.js runtime access
3. System commands run with Flowise process privileges
4. Reverse shells, cryptominers, or ransomware deploy
5. Persistence mechanisms establish long-term access
6. Lateral movement begins to internal networks

Step 5: Post-Exploitation Activities

Common activities observed in compromised AI platforms:

• Cryptocurrency Mining: Using server resources for financial gain
• Data Theft: Exfiltrating training data, API keys, and credentials
• Ransomware Deployment: Encrypting systems for extortion
• Botnet Recruitment: Adding servers to DDoS networks
• Supply Chain Attacks: Compromising downstream dependencies

Immediate Actions Required

If You Run Flowise

URGENT - Do This Now:

1. Identify All Instances: Scan your infrastructure for Flowise deployments
2. Check Version: Determine if you're running version 3.0.6 or later
3. Apply Patch: Upgrade immediately to Flowise 3.0.6 or newer
4. Rotate Credentials: Change all API tokens and associated credentials
5. Review Logs: Check for suspicious activity in access logs
6. Network Segmentation: Restrict Flowise access to internal networks only

Verification Command:

# Check Flowise version
npm list flowise

# Or check package.json
cat package.json | grep flowise

If You Don't Know If You Run Flowise

Discovery Steps:

1. Asset Inventory: Query your CMDB for Flowise installations
2. Container Scanning: Check Docker and Kubernetes environments
3. Cloud Resource Search: Look for Flowise in AWS, Azure, GCP consoles
4. Network Scanning: Identify services on ports 3000, 8080, or custom Flowise ports
5. Developer Surveys: Ask teams about AI prototyping tools they're using

Network Hardening

Immediate Network Controls:

• Firewall Rules: Block Flowise ports from internet access
• VPN Requirements: Require VPN access for Flowise administration
• IP Whitelisting: Restrict access to known corporate IP ranges
• Load Balancer Rules: Configure WAF rules to block suspicious MCP configuration patterns
• Network Segmentation: Isolate Flowise in a dedicated network segment

Long-Term Defensive Strategies

AI Platform Security Framework

Governance and Visibility:

• AI Asset Inventory: Maintain real-time visibility into all AI platforms
• Usage Policies: Establish clear policies for AI tool deployment
• Approval Workflows: Require security review before AI platform deployment
• Regular Audits: Quarterly reviews of AI infrastructure security posture

Technical Controls:

• Runtime Protection: Deploy RASP (Runtime Application Self-Protection) for AI applications
• Input Validation: Implement strict validation for all AI platform inputs
• Least Privilege: Run AI platforms with minimal required permissions
• Container Security: Use hardened container images with minimal attack surface
• Secrets Management: Centralized, encrypted storage for API tokens and credentials

Monitoring and Detection:

• Behavioral Analytics: Monitor for unusual AI platform activity
• Log Aggregation: Centralized logging for all AI platform access
• Anomaly Detection: Alert on suspicious MCP configuration changes
• Threat Intelligence: Subscribe to feeds covering AI platform vulnerabilities

Supply Chain Security

Dependency Management:

• Software Bill of Materials (SBOM): Track all AI platform dependencies
• Vulnerability Scanning: Automated scanning of AI platform components
• Patch Management: Rapid deployment of security updates
• Vendor Assessment: Security evaluation of AI platform vendors

Incident Response

AI-Specific Playbooks:

• Containment Procedures: How to isolate compromised AI platforms
• Forensic Collection: Preserving evidence from AI system compromises
• Recovery Protocols: Restoring AI services after incidents
• Communication Plans: Notifying stakeholders about AI security incidents

The Bigger Picture: AI Platform Security in 2026

Why AI Platforms Are High-Value Targets

AI platforms like Flowise represent attractive targets for several reasons:

1. Data Access: They often have access to sensitive training data and enterprise information
2. Privilege Levels: AI platforms typically run with elevated permissions to access resources
3. Network Position: They bridge internal systems and external AI services
4. Rapid Adoption: Security hasn't caught up with deployment speed
5. Complexity: Multi-component architectures create multiple attack vectors

The Pattern of AI Vulnerabilities

The Flowise vulnerabilities follow a concerning pattern in AI security:

• Input Validation Failures: AI platforms often trust user input too much
• Deserialization Issues: Complex configurations create injection opportunities
• Privilege Escalation: AI platforms run with more access than necessary
• Network Exposure: Convenience leads to unnecessary internet exposure

Industry-Wide Implications

This vulnerability should serve as a wake-up call for organizations deploying AI platforms:

• Security-First AI: Security must be built into AI deployments from day one
• Continuous Monitoring: AI platforms require ongoing security oversight
• Defense in Depth: Multiple security layers protect against single points of failure
• Rapid Response: The ability to patch quickly is essential

FAQ: Flowise CVE-2025-59528

How do I know if my Flowise instance is vulnerable?

Check your Flowise version. If you're running any version before 3.0.6, you're vulnerable. Run npm list flowise in your project directory to check the installed version. Also verify if your instance is exposed to the internet - internal-only deployments have lower immediate risk.

What are the signs of compromise?

Look for:

• Unexpected processes running on the server
• Unusual network connections from the Flowise host
• Modified or new files in the Flowise directory
• Unexpected API calls in access logs
• High CPU usage from cryptomining processes
• Unauthorized access to connected data sources

Can I just block the Starlink IP address?

No. While current exploitation originates from a Starlink IP, attackers can easily change infrastructure. IP blocking is not a substitute for patching. Treat all internet-facing Flowise instances as potentially compromised until patched and investigated.

Is the patch backward compatible?

Flowise 3.0.6 addresses the vulnerability while maintaining compatibility with existing workflows. However, test the upgrade in a non-production environment first, especially if you have complex custom MCP configurations.

What if I can't patch immediately?

If immediate patching isn't possible:

1. Take Flowise instances offline from the internet
2. Restrict access to VPN-only
3. Implement WAF rules to block suspicious MCP configuration patterns
4. Increase monitoring and logging
5. Plan emergency maintenance window for patching

How does this compare to previous Flowise vulnerabilities?

CVE-2025-59528 is the most severe of the three exploited Flowise vulnerabilities:

• CVE-2025-8943 (CVSS 9.8): Command injection via OS commands
• CVE-2025-26319 (CVSS 8.9): Arbitrary file upload
• CVE-2025-59528 (CVSS 10.0): Code injection with full Node.js access

The 10.0 CVSS score reflects the complete system compromise possible through this vulnerability.

Are other AI platforms vulnerable to similar attacks?

Yes. Many AI platforms process user-provided configurations and may have similar input validation weaknesses. This vulnerability pattern is common across:

• LangChain-based applications
• MCP server implementations
• AI agent frameworks
• Low-code AI platforms

Review security advisories for all AI platforms in your environment.

What should I tell my development teams?

Communicate:

1. The severity and active exploitation of this vulnerability
2. The requirement to patch all Flowise instances immediately
3. The prohibition of internet-facing AI platforms without security review
4. The importance of input validation in AI application development
5. Resources for secure AI deployment practices

How can I prevent similar vulnerabilities in the future?

Implement:

• Security review requirements for all AI platform deployments
• Automated vulnerability scanning for AI infrastructure
• Network segmentation for AI development environments
• Regular security training for AI development teams
• Security-focused AI platform procurement criteria

Is Flowise safe to use after patching?

Version 3.0.6 and later address this specific vulnerability. However, like all software, Flowise may have undiscovered vulnerabilities. Practice defense in depth:

• Keep Flowise updated
• Run with minimal privileges
• Monitor for suspicious activity
• Maintain network segmentation
• Have incident response plans ready

Conclusion: The Urgency of AI Platform Security

The Flowise CVE-2025-59528 vulnerability is not an isolated incident. It is a symptom of a larger problem: AI platforms are being deployed faster than they can be secured. The 12,000+ exposed instances represent thousands of organizations that either didn't know they were vulnerable or couldn't prioritize patching.

The attackers are not waiting. They are actively exploiting this vulnerability right now.

If you run Flowise, patch today. Not tomorrow. Not next week. Today.

If you don't know whether you run Flowise, find out today. Shadow AI deployments are real, and they are dangerous.

If you're planning AI platform deployments, build security in from the start. The cost of preventive security is always lower than the cost of incident response.

The AI revolution is here. The security challenges that come with it are here too. Organizations that adapt quickly will thrive. Those that don't will become cautionary tales.

Patch now. Secure your AI. Protect your data.

---

Stay ahead of AI security threats. Subscribe to the Hexon.bot newsletter for weekly cybersecurity insights and vulnerability alerts.

Related Reading:

• The AI Agent Vulnerability Tsunami: Six Critical CVEs in 72 Hours
• Securing AI Agents: The Defining Cybersecurity Challenge of 2026
• The OpenClaw Security Crisis: Nine CVEs in Four Days