{"id":515,"date":"2026-04-07T06:16:36","date_gmt":"2026-04-07T06:16:36","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=515"},"modified":"2026-04-07T06:16:36","modified_gmt":"2026-04-07T06:16:36","slug":"flowise-ai-agent-builder-under-active-cvss-10-0-rce-exploitation-12000-instances-exposed","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=515","title":{"rendered":"Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 07, 2026<\/span><\/span>Artificial Intelligence \/ Vulnerability<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Threat actors are exploiting a maximum-severity security flaw in Flowise<\/b>, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.<\/p>\n

The vulnerability in question\u00a0is CVE-2025-59528<\/strong> (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.<\/p>\n

\u00abThe CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server,\u00bb\u00a0Flowise said<\/a> in an advisory released in September 2025. \u00abThis node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.\u00bb<\/p>\n

Flowise noted that successful exploitation of the vulnerability can allow access to dangerous modules such as child_process (command execution) and fs (file system), as it runs with full Node.js\u00a0runtime privileges.<\/p>\n

Put differently, a threat actor\u00a0who weaponizes the flaw can execute arbitrary JavaScript code on the Flowise server, leading to full system compromise, file system access, command execution, and sensitive\u00a0data exfiltration.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abAs only an API token is required, this poses an extreme security risk to business continuity and customer data,\u00bb Flowise added. It\u00a0credited Kim SooHyun with discovering and reporting the\u00a0flaw. The issue was\u00a0addressed in version 3.0.6\u00a0of the npm\u00a0package.<\/p>\n

According to details shared by VulnCheck, exploitation activity against the vulnerability has originated from a single Starlink IP address. CVE-2025-59528 is\u00a0the third Flowise\u00a0flaw<\/a> with in-the-wild exploitation\u00a0after CVE-2025-8943<\/a> (CVSS score: 9.8), an operating system command remote code execution,\u00a0and CVE-2025-26319<\/a> (CVSS score: 8.9), an arbitrary file\u00a0upload.<\/p>\n

\u00abThis is a critical-severity bug in a popular AI platform used\u00a0by a number\u00a0of large corporations,\u00bb Caitlin Condon, vice president of security research at VulnCheck, told The Hacker News in a statement.<\/p>\n

\u00abThis specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability. The\u00a0internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious, as it means attackers have plenty of\u00a0targets to opportunistically reconnoiter and\u00a0exploit.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 07, 2026Artificial Intelligence \/ Vulnerability Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck. The…<\/p>\n","protected":false},"author":1,"featured_media":516,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[64,683,1096,497,65,137,1095,301,316],"class_list":["post-515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-active","tag-agent","tag-builder","tag-cvss","tag-exploitation","tag-exposed","tag-flowise","tag-instances","tag-rce"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=515"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/515\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/516"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}