Flowise CVE-2025-59528 (CVSS 10.0): Critical RCE in AI Agent Builder Actively Exploited with 12,000+ Exposed Instances
Date: 2026-04-20
Tags: malicious-tool
Executive Summary
VulnCheck researchers detected the first confirmed in-the-wild exploitation activity from a Starlink IP address in early April 2026. Attackers are actively exploiting CVE-2025-59528, a maximum-severity remote code execution vulnerability in Flowise with a CVSS score of 10.0. Current internet scans identify between 12,000 and 15,000 Flowise instances exposed online.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Flowise RCE Exploitation Campaign |
| Attribution | Unknown APT or independent threat actor (confidence: low) |
| Target | Organizations using Flowise for AI agent/LLM applications; healthcare, finance, government potentially at risk |
| Vector | Unauthenticated RCE via unsafe JavaScript evaluation in CustomMCP node; HTTP POST requests to vulnerable Flowise instances |
| Status | active |
| First Observed | 2026-04-03 |
Detailed Findings
The flaw is located in the Flowise CustomMCP node, which allows users to configure connections to external Model Context Protocol (MCP) servers. The node evaluates the mcpServerConfig input parameter using unsafe JavaScript execution without first validating that the content is safe to run. An unauthenticated attacker who sends a crafted request to a vulnerable Flowise instance can execute arbitrary JavaScript and gain full system access, including the ability to read files from the host filesystem, access environment variables and API keys stored in the application, and execute system commands. Flowise instances commonly hold API keys for OpenAI, Anthropic, Azure OpenAI, and other LLM providers, as well as credentials for databases, vector stores, and internal business systems connected through the platform's integrations. An attacker who exploits CVE-2025-59528 on a Flowise instance gains access not just to the host system but to every downstream service whose credentials are configured in the application.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploitation of Remote Service | T1210 | Unauthenticated RCE via vulnerable CustomMCP node evaluation |
| Unsecured Credentials | T1552 | Harvesting LLM API keys and cloud credentials from Flowise configuration |
| Lateral Movement | T1570 | Compromise of downstream services via stolen credentials |
IOCs
Domains
_VulnCheck identified initial exploitation from Starlink IP. IOCs limited due to active campaign targeting broad instance base._
Full URL Paths
_VulnCheck identified initial exploitation from Starlink IP. IOCs limited due to active campaign targeting broad instance base._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
flowise < 3.1.1Detection Recommendations
Upgrade all Flowise deployments to version 3.1.1 immediately. If you are running version 3.0.5 or earlier, your instance is vulnerable. Monitor for: (1) HTTP POST requests to /api/v1/chatmessages with mcpServerConfig parameters containing JavaScript payload patterns; (2) Unusual process execution spawning from Flowise container/process (shell, curl, wget); (3) Outbound connections to LLM provider APIs or cloud credential endpoints immediately after exploitation; (4) Environment variable access patterns in application logs.
References
- [Canadian Cyber Security Journal / VulnCheck] Flowise CVE-2025-59528 CVSS 10.0: AI Agent Builder Under Active Exploitation With 12,000+ Instances Still Exposed (2026-04-08) — https://cybersecurityjournal.ca/techtalk/83883-flowise-cve-2025-59528-rce-exploitation-ai-agent-builder-2026-04-08/