Max severity Flowise RCE vulnerability now exploited in attacks

MAX SEVERITY FLOWISE RCE VULNERABILITY NOW EXPLOITED IN ATTACKS

Security researchers are tracking active exploitation of a critical remote code execution flaw in Flowise, the open-source low-code platform used to assemble AI agents and LLM-based workflows. The vulnerability, identified as CVE-2025-59528, allows an attacker to inject and execute JavaScript on a Flowise deployment by abusing the CustomMCP node’s handling of configuration data when connecting to an external Model Context Protocol (MCP) server. In short, the input mcpServerConfig supplied by a user can be evaluated unsafely, bypassing safety checks and enabling arbitrary code execution on the host system.

Public disclosure of the flaw occurred in September 2025, and it carries a maximum severity rating reflective of the potential impact: arbitrary code execution with access to the host file system. The underlying weakness lies in how the CustomMCP node processes external MCP connections, where unsafe evaluation of user-provided configuration creates a workable attack surface for malicious JavaScript. Flowise’s design emphasizes ease of integration for building AI-driven pipelines, including drag-and-drop assembly of components that can power chatbots, automation, and knowledge-based assistants. That flexibility, while powerful for developers and frontline users, becomes a liability when a single insecure node can cascade into system compromise.

The Flowise ecosystem is not alone in this vulnerability class; researchers have noted related CVEs that also affect Flowise and have seen active exploitation in the wild. In addition to CVE-2025-59528, CVE-2025-8943 and CVE-2025-26319 have been implicated in ongoing attack activity. Observers emphasize that multiple flaws can be targeted in a single exploit chain, complicating defense and remediation efforts for organizations running Flowise instances in varied environments.

Early exploitation signals emerged from VulnCheck’s Canary network, which reported first-time exploitation tied to CVE-2025-59528 in the wild. The activity appears to have originated from at least one Starlink IP, and the scale of exposure is notable: roughly 12,000 to 15,000 Flowise instances are currently publicly reachable on the internet. It remains unclear what proportion of those exposed instances are actually vulnerable, underscoring the need for comprehensive inventory and monitoring of externally reachable Flowise deployments.

From a patch and versioning perspective, Flowise addressed the vulnerability in a prior release line, with a fix present in version 3.0.6. The project’s latest release at the time of the exploitation wave is 3.1.1, which was issued around late March 2026. That newer release consolidates protections against the unsafe evaluation path that enabled CVE-2025-59528, alongside improvements that address related issues observed in the wild. Flowise remains an open-source project hosted on GitHub, widely adopted by developers prototyping AI features, non-technical users employing no-code toolsets, and companies deploying customer-support chatbots and knowledge bases.

In practical terms, the vulnerability enables an attacker to run JavaScript with the same privileges as the Flowise process, granting potential access to sensitive files, configuration data, and connected services. The exploitation capability is particularly troubling given Flowise’s role in orchestrating AI workflows, where a compromised node could seed further compromises across a broader deployment or integrated systems. Observers stress that the exploit surface extends beyond a single installation and can affect any deployment that relies on the CustomMCP configuration path without proper input validation.

Flowise’s user base spans a broad spectrum—from developers prototyping AI ideas to non-technical users leveraging no-code pipelines, and to organizations that rely on automated chat interfaces for customer support. The combination of a high-severity flaw and a substantial number of exposed instances underscores the ongoing tension between speed and security in open-source AI tooling. As researchers and operators continue to observe indicators of exploitation, the emphasis shifts toward thorough asset inventory, monitoring of external exposure, and ensuring that deployments are updated to the latest secure versions when feasible.

The incident also highlights the importance of defense-in-depth when deploying low-code AI platforms in production environments. While Flowise offers powerful capabilities for constructing AI-driven workflows, the presence of an unsafe evaluation path in a configurable node demonstrates how complex integration points can become single points of failure. As investigators analyze observed attack patterns and correlate them with CVE-2025-59528 and related flaws, the broader takeaway is clear: open-source AI tooling benefits from timely patching, rigorous input validation, and continuous security validation across all surfaces that interact with external servers and user-provided configuration. The rapid emergence of exploits in this space serves as a reminder that even well-regarded development platforms require ongoing vigilance to prevent downstream impacts on critical workflows and data.