Skip to main content
Emerging ThreatsMalware & Ransomware

Flowise AI Platform Faces Active RCE Exploitation

Flowise AI Platform Faces Active RCE Exploitation

What do you do when an open-source AI builder used on more than 12,000 public instances harbors a vulnerability that lets an attacker run arbitrary code? That is the dilemma security researchers say operators of Flowise face today.

The flaw and how it works

New findings from VulnCheck report that threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform. The issue is tracked as CVE-2025-59528 and carries a CVSS score of 10.0. According to the report, the vulnerability is a code injection flaw "that could result in remote code execution." VulnCheck also notes that "The CustomMCP node allows users to input configuration settings for connecting" — language the researchers use to describe where the risky input arises.

Scope and current activity

VulnCheck characterizes the situation as active exploitation. The public reporting tied to the incident notes that more than 12,000 Flowise instances are exposed, creating a broad attack surface for adversaries who can exploit remote code execution to run commands on vulnerable systems.

Why this matters — perspectives to consider

  • Technologists: A code injection vulnerability that enables remote code execution at CVSS 10.0 represents a critical operational and security risk; identifying, isolating and assessing exposed instances will be a priority for defenders.
  • Users and administrators: The scale of exposure — 12,000+ instances — raises the urgency for anyone running Flowise to confirm whether their deployments include the vulnerable component referenced by VulnCheck.
  • Policymakers and risk managers: Active exploitation of a high-severity flaw in a widely used open-source AI tool underscores questions about software supply-chain risk and the velocity at which vulnerabilities can affect decentralized deployments.
  • Adversaries: The combination of a code-injection vector and remote code execution capability presents an attractive target profile for those seeking to compromise AI infrastructure at scale.

Implications and closing thought

The facts in the public reporting are stark: a maximum-severity, remotely exploitable code-injection flaw (CVE-2025-59528, CVSS 10.0) in Flowise, active exploitation documented by VulnCheck, and more than 12,000 exposed instances. For operators and decision-makers, the central question is not whether this matters — it plainly does — but what steps will be taken, and how quickly, to reduce an exposed attack surface that adversaries are already targeting.

https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html