Flowise AI Builder Hit by Active CVSS 10.0 RCE Exploitation
If you only read one thing: Attackers are actively exploiting a CVSS 10.0 Flowise flaw that can lead to remote code execution.
As of April 7, 2026: As of April 7, 2026, VulnCheck says more than 12,000 Flowise instances are exposed.
What happened
Flowise CVE-2025-59528 is already being abused in the wild. The flaw affects Flowise’s CustomMCP node. It carries a CVSS score of 10.0, the highest severity rating.
That combination points to remote code execution risk. In plain terms, an attacker could run commands on a vulnerable instance after reaching the exposed component. The NVD entry for CVE-2025-59528 and the CVE record both track the issue.
If your Flowise deployment exposes CustomMCP, treat it as a live incident, not a routine patch item.
The scale matters too. Reporting tied to the case says more than 12,000 instances were exposed, which gives attackers a large target set. The original report from The Hacker News says threat actors are actively probing that surface. AI security risks open-source vulnerability response how to check exposed services
AI workflow builders sit close to data, APIs, and automation logic. That makes a single injection bug noisy. It also makes it operationally dangerous.
- CustomMCP node
- The Flowise component named in the advisory. It handles configuration for external connections, which is why input handling here matters.
- Remote code execution
- A condition where an attacker can run code on the target system. That can lead to data theft, persistence, or lateral movement.
- CVSS 10.0
- The top severity score in the Common Vulnerability Scoring System. It usually signals a flaw with broad impact and little room for error.
Last reviewed: April 7, 2026
Why it matters
A code injection bug in an AI agent builder is not just a bug. It can become command execution on the host, then movement into whatever that host can reach.
That is the real risk with Flowise CVE-2025-59528. If an attacker can abuse the affected node, they may alter automation flows, steal secrets, or plant logic that changes future outputs.
Open-source tools often live behind trust assumptions. Admins place them on internal networks, connect them to APIs, and assume the builder itself is safe. Exposing that surface to the internet changes the equation fast.
Plain version: if the builder is reachable, attackers may use it as a foothold into connected systems.
The privacy impact is direct. Workflows often touch prompts, tokens, logs, and data pulled from internal services. One compromise can expose all of it.
Operationally, the blast radius can be ugly. Teams may need to disable flows, rotate credentials, and inspect every automation path that touched the vulnerable component. That costs time, and it interrupts business processes.
In our assessment, this is why the issue matters beyond one product. A builder that sits between users and infrastructure becomes a high-value target the moment attackers can reach it.
For the advisory details, see CVE-2025-59528 on NVD. Last reviewed: April 7, 2026
What to watch next
Start with patch status. If the vendor has shipped a fix, confirm it is actually deployed. Delays matter here.
Then check exposure. Is Flowise internet-facing, or tucked behind internal access controls? That single detail changes the risk profile fast, especially for CVE-2025-59528.
If Flowise is reachable from the public internet, treat it as a live target and review it now.
Logs deserve a close look too. Hunt for odd CustomMCP activity, unexpected configuration changes, and agent workflows that suddenly call new endpoints. Pay extra attention if those workflows touch secrets, tokens, or customer data.
Keep an eye on follow-up from VulnCheck and other researchers. New exploitation details may change what indicators matter, and they may surface additional abuse patterns. RFC 9110 is useful here for HTTP logging context, while RFC 3986 helps when you review suspicious URLs and callback targets.
Short version: patch, verify exposure, and review logs before assuming nothing happened. A quiet system is not the same as a safe one.
Last reviewed: April 7, 2026
Readers often ask
Readers often ask: What is Flowise CVE-2025-59528 in plain terms?
Flowise CVE-2025-59528 is a code injection flaw in the CustomMCP node. In plain terms, a crafted configuration can make Flowise run attacker-controlled code.
The issue carries a CVSS 10.0 score, so it is treated as critical. That rating reflects the risk of remote code execution, not just a crash or data leak.
Readers often ask: How does the Flowise vulnerability work?
Attackers abuse input that the CustomMCP node accepts as configuration. If the application trusts that input too much, the attacker can pivot from configuration changes to code execution.
That matters because code execution can give an intruder a foothold inside the host. From there, they may read files, change workflows, or move deeper into the environment.
Readers often ask: What should IT verify after this alert?
Check whether any Flowise instance is internet-facing. Then review logs for suspicious CustomMCP configuration changes, unexpected process launches, and command execution around the same time.
If you find exposure, treat it as urgent. Also confirm the deployed version against the vendor advisory and any related CVE notice before assuming the system is clean.
Readers often ask: Is Flowise CVE-2025-59528 still a risk on public Wi-Fi?
Public Wi-Fi is not the core issue here. The vulnerability matters wherever a reachable Flowise instance can be abused, including over a trusted network or the open internet.
An attacker does not need to be on the same hotspot if the service is exposed remotely. Network location changes the path, not the flaw.
Readers often ask: Why does this matter for network security teams?
Remote code execution changes the threat model fast. A single exposed app can become a launch point for credential theft, lateral movement, or tampering with automation workflows.
In our assessment, the biggest risk is not just the initial compromise. It is what the attacker can reach after Flowise starts running their code.
Readers often ask: How is the CustomMCP node involved in the attack?
The CustomMCP node is the weak point described in the advisory. The flaw sits in how it handles configuration input, which gives an attacker a path to inject code.
That is why defenders should review any workflows that use this node. A small config change can have a much larger effect than it looks like on the surface.
Readers often ask: Is there active exploitation of Flowise CVE-2025-59528?
Yes, the alert describes active abuse. That means defenders should assume attackers are already testing exposed systems, not waiting for a future proof of concept.
The data suggests fast triage is the right move. Confirm exposure, inspect logs, and isolate any instance that shows signs of suspicious execution.
Readers often ask: What standards or references matter here?
For the technical context, remote code execution is the key outcome, and CVSS is the scoring system used to rate severity. If you are mapping the issue to broader security guidance, track it alongside the vendor advisory and the CVE record.
Last reviewed: April 7, 2026
Last reviewed: April 7, 2026
