Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Summary

Threat actors are actively exploiting CVE-2025-59528, a maximum-severity code injection vulnerability in Flowise, an open-source AI agent builder. The flaw allows unauthenticated attackers with only an API token to execute arbitrary JavaScript code with full Node.js privileges, leading to remote code execution, file system access, and data exfiltration. Despite being patched in version 3.0.6 (September 2025) and public for over six months, over 12,000 exposed instances remain vulnerable to opportunistic attacks.

Full text

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Ravie LakshmananApr 07, 2026Artificial Intelligence / Vulnerability Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck. The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution. "The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said in an advisory released in September 2025. "This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation." Flowise noted that successful exploitation of the vulnerability can allow access to dangerous modules such as child_process (command execution) and fs (file system), as it runs with full Node.js runtime privileges. Put differently, a threat actor who weaponizes the flaw can execute arbitrary JavaScript code on the Flowise server, leading to full system compromise, file system access, command execution, and sensitive data exfiltration. "As only an API token is required, this poses an extreme security risk to business continuity and customer data," Flowise added. It credited Kim SooHyun with discovering and reporting the flaw. The issue was addressed in version 3.0.6 of the npm package. According to details shared by VulnCheck, exploitation activity against the vulnerability has originated from a single Starlink IP address. CVE-2025-59528 is the third Flowise flaw with in-the-wild exploitation after CVE-2025-8943 (CVSS score: 9.8), an operating system command remote code execution, and CVE-2025-26319 (CVSS score: 8.9), an arbitrary file upload. "This is a critical-severity bug in a popular AI platform used by a number of large corporations," Caitlin Condon, vice president of security research at VulnCheck, told The Hacker News in a statement. "This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability. The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we're seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, Cloud security, cybersecurity, Open Source, remote code execution, Vulnerability Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• cve — CVE-2025-59528
• cve — CVE-2025-8943
• cve — CVE-2025-26319

Entities