Max-Severity Flowise RCE Vulnerability Now Exploited in Attacks

Related

Hackers Exploit Critical Auth Bypass in Gitea Docker Image

What happened Hackers are actively exploiting a critical authentication bypass...

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw

What happened Zimbra urged customers to patch a critical stored...

Progress Urges ShareFile Customers to Shut Down Servers Over Credible Threat

What happened Progress Software warned ShareFile customers using Storage Zone...

Ubiquiti Discloses 25 Security Flaws Across UniFi Ecosystem

What happened Ubiquiti disclosed 25 security vulnerabilities affecting products across...

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Share

What happened

A maximum-severity Flowise vulnerability is now being exploited in attacks, exposing internet-facing deployments of the open-source AI workflow platform to arbitrary code execution. The flaw, tracked as CVE-2025-59528, is a CVSS 10 issue in the Flowise CustomMCP node that allows unsafe evaluation of user-supplied JavaScript through the mcpServerConfig input. Successful exploitation can lead to command execution and file system access. The issue was publicly disclosed in September 2025, and the developer fixed it in Flowise version 3.0.6. New exploitation activity was detected by a canary network on April 7, 2026. Researchers also warned that between 12,000 and 15,000 Flowise instances are currently exposed online, though it is unclear how many remain vulnerable. 

Who is affected

The direct exposure affects organizations running internet-accessible Flowise instances, particularly deployments still using versions older than 3.0.6. The platform is used to build AI agents, chatbots, automation workflows, and knowledge-based assistants, making the risk relevant to both internal prototypes and production-facing AI systems. 

Why CISOs should care

This matters because the flaw creates a direct path from an exposed AI workflow platform to arbitrary code execution on the underlying server. It also comes as other Flowise vulnerabilities, including CVE-2025-8943 and CVE-2025-26319, have also seen exploitation in the wild, increasing pressure on organizations that have left these systems exposed to the public internet. 

3 practical actions

  1. Upgrade affected deployments immediately: Move Flowise instances to version 3.1.1 or at least 3.0.6 to remove exposure to CVE-2025-59528. 
  2. Reduce internet exposure: Remove Flowise instances from the public internet if external access is not required. 
  3. Treat AI workflow platforms as server compromise risk: Review externally exposed AI development and orchestration tools as part of core attack surface management, not just experimental infrastructure. 
  4. For more news about security flaws under active exploitation, click Vulnerability to read more.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.