What Happened
Attackers are actively exploiting CVE-2025-59528, a maximum-severity remote code execution vulnerability in Flowise, the widely used open-source platform for building custom large language model (LLM) applications, chatbots, and AI agent pipelines. The vulnerability carries a CVSS score of 10.0.
The flaw is located in the Flowise CustomMCP node, which allows users to configure connections to external Model Context Protocol (MCP) servers. The node evaluates the mcpServerConfig input parameter using unsafe JavaScript execution without first validating that the content is safe to run. An unauthenticated attacker who sends a crafted request to a vulnerable Flowise instance can execute arbitrary JavaScript and gain full system access, including the ability to read files from the host filesystem, access environment variables and API keys stored in the application, and execute system commands.
The vulnerability was first publicly disclosed in September 2025, and the Flowise developer released a fix in version 3.0.6. Despite this timeline, VulnCheck researchers detected the first confirmed in-the-wild exploitation activity from a Starlink IP address in early April 2026. Current internet scans identify between 12,000 and 15,000 Flowise instances exposed online. Users should upgrade to Flowise version 3.1.1 or later. BleepingComputer | The Hacker News
Why This Matters for Canadian Organizations
Flowise is one of the most widely adopted open-source platforms for building AI agent workflows, and its popularity has grown substantially as Canadian enterprises, startups, and government teams build internal LLM tools and customer-facing AI applications. Many organizations deploy Flowise on self-hosted infrastructure — in cloud VMs, on-premises servers, or containerized environments — often with limited security review, since it is frequently treated as a development or prototyping tool rather than a production application requiring formal hardening.
The practical consequence of exploitation is severe. Flowise instances commonly hold API keys for OpenAI, Anthropic, Azure OpenAI, and other LLM providers, as well as credentials for databases, vector stores, and internal business systems connected through the platform’s integrations. An attacker who exploits CVE-2025-59528 on a Flowise instance gains access not just to the host system but to every downstream service whose credentials are configured in the application.
For Canadian organizations subject to PIPEDA, a breach of a Flowise instance connected to systems holding personal information creates notification obligations. Developers and DevOps teams building AI pipelines should assess whether any Flowise deployment in their environment processes personal data or connects to systems where personal data is stored.
What to Do
Upgrade all Flowise deployments to version 3.1.1 immediately. If you are running version 3.0.5 or earlier, your instance is vulnerable. There is no configuration-level workaround for this flaw — patching is the only remediation.
If you cannot upgrade immediately, take the Flowise instance offline or restrict access to internal networks only. An internet-exposed Flowise instance running an unpatched version is under active scan and exploitation attempts as of this writing.
Audit all API keys, database credentials, and service account tokens configured in your Flowise instance. Rotate them as a precaution, particularly for high-value integrations such as OpenAI API keys with high spending limits, database credentials with write access, and cloud provider credentials. Review application logs for signs of unauthorized access, including unexpected requests to the CustomMCP configuration endpoint and any evidence of command execution or file access outside normal Flowise workflows.
Canadian organizations using Flowise in production environments should also assess whether the application falls under the scope of any internal vulnerability disclosure or incident response policy, and report confirmed compromises to the Canadian Centre for Cyber Security at contact@cyber.gc.ca.
