Max-Severity Flowise RCE Vulnerability Now Exploited in Attacks

What happened

A maximum-severity Flowise vulnerability is now being exploited in attacks, exposing internet-facing deployments of the open-source AI workflow platform to arbitrary code execution. The flaw, tracked as CVE-2025-59528, is a CVSS 10 issue in the Flowise CustomMCP node that allows unsafe evaluation of user-supplied JavaScript through the mcpServerConfig input. Successful exploitation can lead to command execution and file system access. The issue was publicly disclosed in September 2025, and the developer fixed it in Flowise version 3.0.6. New exploitation activity was detected by a canary network on April 7, 2026. Researchers also warned that between 12,000 and 15,000 Flowise instances are currently exposed online, though it is unclear how many remain vulnerable. 

Who is affected

The direct exposure affects organizations running internet-accessible Flowise instances, particularly deployments still using versions older than 3.0.6. The platform is used to build AI agents, chatbots, automation workflows, and knowledge-based assistants, making the risk relevant to both internal prototypes and production-facing AI systems. 

Why CISOs should care

This matters because the flaw creates a direct path from an exposed AI workflow platform to arbitrary code execution on the underlying server. It also comes as other Flowise vulnerabilities, including CVE-2025-8943 and CVE-2025-26319, have also seen exploitation in the wild, increasing pressure on organizations that have left these systems exposed to the public internet. 

3 practical actions

1. Upgrade affected deployments immediately: Move Flowise instances to version 3.1.1 or at least 3.0.6 to remove exposure to CVE-2025-59528. 
2. Reduce internet exposure: Remove Flowise instances from the public internet if external access is not required. 
3. Treat AI workflow platforms as server compromise risk: Review externally exposed AI development and orchestration tools as part of core attack surface management, not just experimental infrastructure. 
4. For more news about security flaws under active exploitation, click Vulnerability to read more.