Artificial Intelligence

Critical Flowise Vulnerability in Attacker Crosshairs

The improper validation of user-supplied JavaScript code allows attackers to execute arbitrary code and access the file system.

Vulnerability

Threat actors have started to exploit a critical vulnerability in Flowise that allows them to execute arbitrary code remotely, VulnCheck warns.

Flowise is an open source development platform that allows users to build customized LLM flows and autonomous agents using a drag-and-drop interface.

Tracked as CVE-2025-59528 (CVSS score of 10), the bug exists because user-supplied JavaScript code is not validated in a function that supports configuration settings input for connecting to an external MCP.

The user-supplied input used to build the MCP server configuration is passed directly to a function that evaluates and executes it as JavaScript code, with full Node.js runtime privileges, leading to remote code execution and access to the file system.

Successful exploitation of the bug could allow attackers to take control of a vulnerable system and exfiltrate sensitive information.

“As only an API token is required, this poses an extreme security risk to business continuity and customer data,” Flowise notes in its advisory.

Advertisement. Scroll to continue reading.

The security defect affects Flowise versions up to 3.0.5 and was patched in version 3.0.6, which was released in September 2025.

Now, vulnerability intelligence firm VulnCheck says it has observed the first in-the-wild exploitation attempts targeting CVE-2025-59528, suggesting that attackers are taking an interest in vulnerable deployments.

“This is a critical-severity bug in a popular AI platform used by a number of large corporations. This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability,” said VulnCheck VP of security research Caitlin Condon.

The company says it has observed between 12,000 and 15,000 publicly accessible Flowise instances. However, it is unclear how many are running vulnerable versions of the platform.

“The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit,” Condon said.

Related: Fortinet Rushes Emergency Fixes for Exploited Zero-Day

Related: GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data

Related: GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack

Related: Google DeepMind Researchers Map Web Attacks Against AI Agents

Related Content

Artificial Intelligence

Two announcements on July 7, 2026, demonstrate the government’s determination to improve the level of cybersecurity within the UK.

Vulnerabilities

Buffer overflow, DoS, command injection, SSRF, authentication bypass, and other types of vulnerabilities have been found in PAN-OS software.

Vulnerabilities

The privilege escalation vulnerability tracked as CVE-2026-50656 has been patched with a Microsoft Malware Protection Engine update.

Artificial Intelligence

Wiz has disclosed the details of a new AI coding assistant attack method it has dubbed GhostApproval.

Vulnerabilities

The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google.

Vulnerabilities

Tracked as CVE-2026-11405, the vulnerability allows unauthenticated attackers to access a device's web management interface.

Artificial Intelligence

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same...

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version