Introduction
In the cybersecurity landscape, open-source platforms designed for the development of artificial intelligence-based applications are becoming increasingly frequent targets. When a tool is rapidly and widely adopted, the vulnerabilities it contains can have far-reaching consequences. This is exactly what is happening with Flowise, a platform popular among developers and companies looking to build AI agents in a simple and fast way.
What Happened
Flowise is an open-source platform that allows users to create artificial intelligence-based workflows, even without being programming experts. Security researchers have identified a highly critical vulnerability, classified under the code CVE-2025-59528 and rated with the maximum risk score of 10.0 out of 10 according to the CVSS scale, which measures the severity of security flaws.
The issue lies in a specific component of the platform called the CustomMCP node. Through this element, a malicious actor can inject unauthorized code and execute it remotely on the target system, without needing physical access to the machine. In technical terms, this is referred to as Remote Code Execution, meaning the ability to run any instruction on someone else’s computer from anywhere in the world.
The flaw was disclosed through a security advisory starting at least in September 2025 and, particularly concerning, active exploitation has been observed. Among the detected attack attempts are connections originating from IP addresses associated with the Starlink network. No names of affected organizations or the identities of specific groups responsible for the attacks have been made public.
According to available estimates, between 12,000 and 15,000 Flowise installations are directly exposed on the Internet, meaning they are publicly accessible without additional protections.
Why It Matters and the Potential Impact
A maximum-risk vulnerability, actively exploited and present on tens of thousands of systems reachable from the public network, represents a serious situation. Those using Flowise in production environments — to manage AI agents connected to corporate data or external services — could be exposed to system compromise, unauthorized access to information, or service disruption. Since the organizations already affected are unknown, it is impossible to accurately estimate the damage already caused.
What Companies and Users Can Do
The first concrete and immediate action is to update Flowise to version 3.0.6, in which the vulnerability has been fixed. Those who cannot update immediately should consider restricting access to the platform, preventing it from being directly reachable from the Internet. It is also advisable to check system logs for anomalous activity, and to consult your IT manager or a cybersecurity professional.
Final Takeaways
- Updating Flowise to version 3.0.6 immediately is the only definitive countermeasure against this vulnerability.
- Exposing AI development tools directly to the Internet, without adequate protections, significantly increases the risk of compromise.
- The names of the victims and those responsible are not known: anyone using the platform should consider themselves potentially exposed until the patch has been applied.
Sources:
https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html
https://www.sonicwall.com/fr-fr/blog/flowiseai-custom-mcp-node-remote-code-execution-
https://cybersecuritynews.com/flowise-ai-agent-builder-vulnerability-exploited/amp/
Source: Original article