07.04.2026
3 min
224
A critical vulnerability has been discovered in the Flowise AI agent creation platform, which is already being actively exploited by hackers. The problem allows remote code execution and complete server takeover, with thousands of instances around the world at risk.
Flowise — one of the most widely used platforms for building AI solutions using open-source software — has become the target of active exploitation of a recently announced critical vulnerability. According to research conducted by VulnCheck, CVE-2025-59528 with a CVSS score of 10.0 will allow attackers to inject code into Flowise, which can then run uncontrolled on the server. The reason behind the vulnerability is located in the “CustomMCP” Node in the application. In order to process user input about how they would like their connections to be set up to other MCP servers, the CustomMCP Node uses JavaScript to evaluate the user’s input. The issue lies in that there is no validation performed on the input before it is evaluated. Therefore, when users enter malicious input, it becomes possible to take advantage of the flaw by allowing the application to provide the necessary information to allow an unauthorized actor to use the application for malicious purposes.
The impact of the vulnerability is significant and includes the following features:
Full access to the File System
Running Commands Using Child_Process
Accessing Files With Read, Modify and Delete Options
Server Control
In addition to having such a large number of vulnerabilities affecting the Flowise Platform, the fact that these exploits only require an API Token make the threat level much higher than other similar threats. Since an attacker only needs an API token in order to begin exploiting the flaws within the Flowise Application, many businesses may find themselves facing greater exposure to loss or theft of their customers’ sensitive data. This concern is further emphasized by Flowise Team members, who have also warned about the threat posed by these exploits.
Attacks are currently being reported against Flowise by VulnCheck, and some of the attacks have even been found to come from the StarLink IP Address. Flowise has experienced previous security issues, including two additional severe vulnerabilities:
CVE-2025-8943 (CVSS Score: 9.8) which provides an attacker with the ability to execute Operating System commands.
CVE-2025-26319 (CVSS Score: 8.9) which gives an attacker the option to download arbitrary files.
Caitlin Condon from VulnCheck noted that public knowledge of this issue has existed for more than six months; however, not all users have completed updates. Currently, there are more than 12,000 Flowise instances accessible through the Internet. Because of this, vulnerable applications can potentially serve as thousands of different attack vectors for hackers.
A patch for the vulnerability has already been released as part of version 3.0.6 of the Flowise application. However, as usual, until users complete the appropriate update steps, they remain vulnerable to attacks based upon the same exploit.
