Security researchers have confirmed that a maximum-severity remote code execution vulnerability in Flowise — a popular open-source platform for building AI agents and LLM-powered workflows — is being actively exploited in the wild. Tracked as CVE-2025-59528 with a CVSS score of 10.0, the flaw allows unauthenticated attackers to execute arbitrary commands on any exposed Flowise server. With an estimated 12,000 to 15,000+ instances publicly accessible on the internet, the attack surface is vast.
The Vulnerability: Unsafe JavaScript Execution in AI Workflows
The flaw exists in Flowise’s CustomMCP node, which allows users to configure connections to external Model Context Protocol (MCP) servers. When a user provides a configuration string, Flowise parses it and executes the embedded JavaScript code — but does so without any security validation or sandboxing.
Because this code runs with full Node.js runtime privileges, attackers can access dangerous built-in modules such as:
child_process— for executing arbitrary shell commands on the hostfs— for reading, writing, or deleting files on the server’s filesystem
This effectively grants a remote attacker full control over the underlying server, including access to any secrets, credentials, or AI model configurations stored on it.
Active Exploitation Underway
According to threat intelligence data from VulnCheck, exploitation of CVE-2025-59528 is already occurring in the wild, with attack traffic originating from at least one identified Starlink IP address. The vulnerability has been publicly known for over six months, meaning defenders have had ample time to patch — yet tens of thousands of instances remain unprotected.
The combination of a CVSS 10.0 score, a public proof-of-concept exploit, and massive exposure makes this one of the most urgent vulnerabilities of 2026 for organizations running AI infrastructure.
Why This Matters for AI Security
Flowise is widely used by developers and organizations to rapidly prototype and deploy AI agent pipelines, chatbots, and LLM-powered applications. A compromise of a Flowise instance can lead to:
- Theft of API keys for OpenAI, Anthropic, or other AI providers
- Exfiltration of proprietary prompts, workflows, and business logic
- Pivoting into internal networks from the compromised server
- Manipulation of AI agent behavior to produce malicious outputs
This incident highlights a growing concern in the cybersecurity community: as AI development tools proliferate, many are being deployed without adequate security review.
The Fix and What To Do Now
Flowise has addressed the vulnerability in version 3.0.6 of the npm package. If you are running any version prior to this, you are vulnerable.
Immediate actions to take:
- Update to Flowise v3.0.6 or later immediately
- Audit your instance for signs of compromise — check for unexpected processes, new files, or modified configurations
- Remove public internet exposure unless strictly necessary — place Flowise behind a VPN or authentication gateway
- Rotate all API keys and secrets that were accessible on the server
- Review access logs for suspicious activity, particularly around the CustomMCP endpoint
For organizations that cannot immediately patch, disabling the CustomMCP node as a temporary workaround can reduce the attack surface until an update can be applied.