Full Report
Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck. The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution. "The CustomMCP node allows users to input configuration settings for connecting
Analysis Summary
# Vulnerability: Flowise AI CustomMCP Node Code Injection
## CVE Details
- **CVE ID:** CVE-2025-59528
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code / Code Injection)
## Affected Systems
- **Products:** Flowise (Open-source AI agent builder)
- **Versions:** All versions prior to 3.0.6
- **Configurations:** Systems running the `npm` package with the `CustomMCP` node enabled.
## Vulnerability Description
The flaw exists within the **CustomMCP node**, which allows users to input configuration settings to connect to an external Model Context Protocol (MCP) server. The platform parses the user-provided `mcpServerConfig` string and executes JavaScript code during the configuration process without sufficient security validation. Because Flowise operates with full Node.js runtime privileges, an attacker can bypass restrictions to access dangerous modules like `child_process` and `fs`.
## Exploitation
- **Status:** Exploited in the wild (Actively exploited as of April 2026).
- **Complexity:** Low (Requires only a valid API token).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to sensitive data, file system, and exfiltration).
- **Integrity:** High (Execution of arbitrary commands and system compromise).
- **Availability:** High (Potential for business continuity disruption).
## Remediation
### Patches
- **Flowise version 3.0.6:** This version addresses the flaw in the npm package. Users should update immediately.
### Workarounds
- No specific workarounds were provided in the article; however, administrators should restrict access to the Flowise API and disable unused `CustomMCP` nodes if patching is delayed.
## Detection
- **Indicators of Compromise:** Active scanning/exploitation attempts have been traced to Starlink-associated IP addresses.
- **Detection Methods:**
- Review server logs for unusual JavaScript execution or calls to `child_process` and `fs` modules originating from Flowise nodes.
- Monitor for unauthorized access to the `CustomMCP` node configuration.
- Check for the existence of exposed Flowise instances (over 12,000 are reportedly internet-facing).
## References
- **Vendor Advisory:** hxxps[://]github[.]com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p
- **VulnCheck Research:** Noted as the source of active exploitation findings.
- **Original News Coverage:** hxxps[://]thehackernews[.]com/2026/04/flowise-ai-agent-builder-under-active.html