CRITICAL: Flowise AI Agent Builder Hit by Perfect 10 Vulnerability: 12,000 Instances in the Crosshairs

If you have been watching the AI development space, you have probably noticed that every company with a pulse is racing to build agents, chatbots, and automated workflows. The tools enabling this boom have become critical infrastructure overnight, and attackers have absolutely noticed. This week, Flowise, one of the most popular open-source platforms for building AI agents, is under active exploitation for a vulnerability that quite literally cannot get any worse. CVE-2025-59528 carries a perfect CVSS score of 10.0, meaning there is nothing that could make this flaw more severe without changing the fundamental laws of how computers work.

Flowise functions as a visual drag-and-drop interface for building LLM-powered applications. Think of it as the no-code bridge between your business logic and the language models doing the heavy lifting. Developers use it to chain together API calls, connect to databases, integrate Model Context Protocol servers, and orchestrate complex AI workflows without drowning in boilerplate code. It has become particularly popular among enterprises experimenting with AI automation because it dramatically lowers the barrier to entry. The platform supports connections to OpenAI, Anthropic, and dozens of other AI providers, making it a one-stop shop for AI application development.

The vulnerability lives in the CustomMCP node, which handles configuration settings for connecting to external MCP servers. When a user provides configuration through the mcpServerConfig parameter, the system parses it to build the server connection. The problem is breathtakingly simple: during this parsing process, Flowise executes JavaScript code without any security validation whatsoever. None. The code runs with full Node.js runtime privileges, which means an attacker who exploits this flaw gains access to child_process for command execution and fs for file system operations. In practical terms, they own the server.

VulnCheck researchers discovered that active exploitation is already underway, with attack traffic originating from a single Starlink IP address. The attacks are targeting the estimated 12,000 Flowise instances currently exposed to the internet. That number should give security teams pause. These are not honeypots or test deployments sitting forgotten in someone's AWS account. A significant portion of these instances are production systems connected to enterprise AI workflows, customer data pipelines, and internal automation tools. Each one represents a potential entry point into a corporate network.

What makes this situation particularly frustrating is that defenders have had six months to address this. Flowise disclosed the vulnerability back in September 2025 and released a patched version, 3.0.6, at the same time. The researcher Kim SooHyun received credit for the discovery, and the advisory clearly spelled out the risk. Yet here we are in April 2026, watching active exploitation unfold against thousands of still-vulnerable systems. The patch has been available for half a year, and the attack surface has not meaningfully shrunk.

This is not even the first time Flowise has found itself in attackers' crosshairs. CVE-2025-59528 marks the third vulnerability in the platform to see active exploitation in the wild. The previous two were CVE-2025-8943, an operating system command injection flaw with a CVSS of 9.8, and CVE-2025-26319, an arbitrary file upload vulnerability scored at 8.9. The pattern here is unmistakable. Flowise has become a high-value target precisely because it sits at the intersection of two things attackers love: internet-facing services and access to sensitive data. AI platforms ingest training data, process customer inputs, and connect to backend systems. Compromising one can yield credentials, proprietary information, and lateral movement opportunities that would otherwise require multiple steps to obtain.

Caitlin Condon, VulnCheck's vice president of security research, put it bluntly when she noted that this is a critical-severity bug in a platform used by large corporations. The combination of extended public exposure, a massive attack surface, and active scanning means that anyone running an unpatched instance is essentially waiting for their turn in the exploitation queue. Opportunistic attackers do not need sophisticated targeting when 12,000 potential victims are sitting there with welcome mats at their doors.

The broader lesson here extends beyond Flowise itself. AI development tools have become shadow IT at an alarming rate. Development teams spin up instances to experiment, integrate them into workflows, and move on to the next sprint. Nobody assigned ownership. Nobody scheduled patching. Nobody even remembered the instance existed until an attacker found it. This pattern repeats across organizations of every size, and it is why vulnerabilities in developer-focused tools tend to linger far longer than their severity would suggest.

For organizations currently running Flowise, the remediation path is straightforward. Update to version 3.0.6 or later immediately. If you cannot patch right away, restrict network access to the Flowise instance so that only authorized users can reach it. Better yet, take it off the public internet entirely. There is no legitimate reason for an AI development platform to be exposed to the entire world. Use a VPN or bastion host for developer access and treat the instance like the sensitive infrastructure it actually is.

Security teams should also conduct an audit of what AI development tools exist within their environment. Flowise is just one platform among dozens, and the vulnerability density in this space is only going to increase as adoption accelerates. Tools like LangChain, LlamaIndex, Haystack, and their visual counterparts all represent potential attack surface that traditional asset inventory processes might miss entirely. If your organization is building with AI, you need visibility into where those development environments live and who controls them.

The incident also underscores why the "only an API token is required" disclosure from Flowise matters so much. Many organizations treat API tokens as lower-sensitivity credentials compared to traditional usernames and passwords. They get committed to repositories, shared in Slack channels, and embedded in configuration files that outlive the projects they were created for. An attacker who steals or guesses an API token can exploit CVE-2025-59528 without any additional authentication hurdles. Token hygiene suddenly looks a lot more important when a single secret unlocks full remote code execution.

Looking at the bigger picture, Flowise joins a growing list of AI infrastructure components that have suffered serious security issues in recent months. The TeamPCP supply chain attack against LiteLLM demonstrated how developer endpoints become credential vaults when AI tools get compromised. Vulnerabilities in LangChain and LangGraph showed that even the most popular frameworks carry significant risk. The pattern is consistent across the ecosystem: rapid development, enthusiastic adoption, and security considerations that arrive fashionably late to the party.

For CISOs trying to get ahead of this trend, the playbook involves establishing governance for AI development tools before they proliferate beyond control. That means approved platforms, deployment standards, patching requirements, and network segmentation that keeps experimental AI workloads isolated from production systems. The alternative is discovering your AI development environment became an attack vector long after the damage is done.

The attackers scanning from that Starlink IP address understand something that defenders are still learning: AI tools represent exceptionally high-value targets because they touch everything from customer data to internal processes to the credentials that connect all of it together. A single compromised Flowise instance can yield access that would otherwise require extensive reconnaissance and multiple exploitation steps. The economics favor the attacker, and that equation only shifts when defenders start treating AI infrastructure with the same rigor they apply to traditional crown jewels.

Patch your Flowise instances today. Then go find the ones you forgot you had.