TL;DR

Flowise — the drag-and-drop LLM workflow builder (~38K GitHub stars, 12,000–15,000 internet-exposed instances) — has two overlapping RCE problems shipping concurrently. (1) CVE-2025-59528 (CVSS 10.0) — unauthenticated code injection in the CustomMCP node where mcpServerConfig is eval'd as JavaScript; under active in-the-wild exploitation since April 2026 (VulnCheck via THN). (2) April 2026 Agent-node clusterCVE-2026-41265, CVE-2026-41264, CVE-2026-41268, CVE-2026-41138, CVE-2026-40933 (CVSS 9.2 each) — prompt-injection-to-RCE in the Airtable / CSV / generic Agent nodes that run LLM-generated Python with no sandbox. All fixed in Flowise 3.1.0 (CVE-2025-59528 fix line is 3.0.6 → 3.1.1). If you exposed Flowise to the public internet on any vulnerable version, treat the host as compromised and rotate every upstream LLM/cloud key the platform held.

What happened

Flowise stores upstream-provider API keys for OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Cohere, Mistral, and similar — the same "central credentials cache" problem as LiteLLM, but for LLM-workflow-building rather than proxying. Two distinct vulnerability tracks landed against Flowise in the April → May 2026 window:

Track 1 — CVE-2025-59528 (CVSS 10.0). Disclosed originally in September 2025 (SentinelOne), the CustomMCP node accepts a user-supplied mcpServerConfig string and parses it without security validation, executing arbitrary JavaScript with full Node runtime privileges (including child_process, fs). Fix shipped in 3.0.6. VulnCheck observed the first confirmed in-the-wild exploitation from a Starlink IP in early April 2026 (The Hacker News, 2026-04-08; Cybersecurity News; Lab Space CSA Research Note); internet scans count 12,000–15,000 exposed instances, of which many remain unpatched. BleepingComputer and SC Media covered active exploitation; CSO Online framed downstream impact.

Track 2 — April 2026 Agent-node cluster. GitHub Security Advisories disclosed five chainable RCEs in Flowise's various Agent nodes (all fixed in 3.1.0):

  • CVE-2026-41265 (CVSS 9.2) — Airtable Agent: Airtable_Agents.run() evaluates an LLM-generated Python script with no sandbox. An unauthenticated attacker who can send prompts to a chatflow using this node can prompt-inject the LLM into emitting Python that executes attacker commands on the host.
  • CVE-2026-41138 — Airtable Agent RCE via lack of input verification using Pandas.
  • CVE-2026-41264, CVE-2026-41268 — sibling Agent-node RCEs.
  • CVE-2026-40933 — Flowise generic RCE.
  • CVE-2026-41137 — CSV Agent RCE.
  • CVE-2026-41269 — File Upload RCE.

The Airtable Agent class is the cleanest worked example of the decorator-as-documentation pattern already seen in Microsoft Semantic Kernel: the SDK annotation marks a function as "agent tool" and the developer's intuition is that the framework provides isolation. The framework does not — eval-ing LLM output as Python on the server gives any chatflow caller a one-prompt path to RCE.

This adds Flowise to the running cluster of "AI/data tools shipping unauthenticated RCE primitives" — siblings: Langflow CVE-2026-33017, PraisonAI CVE-2026-44338, Marimo CVE-2026-39987, LiteLLM CVE-2026-42208.

Am I affected?

# Check Flowise version (Docker or npm install)
docker ps --format '{{.Image}}\t{{.Names}}' | grep -i flowise
docker exec <container> npm list -g flowise 2>/dev/null | grep flowise

# Or self-hosted via npm
npx flowise --version 2>/dev/null

# Internet-exposed?
ss -tlnp 2>/dev/null | grep -E ':3000|:3001'  # default Flowise ports

If Version < 3.0.6 → vulnerable to CVE-2025-59528 (CustomMCP code injection). If Version < 3.1.0 → vulnerable to CVE-2026-41264 / CVE-2026-41265 / CVE-2026-41268 / CVE-2026-41138 / CVE-2026-40933 / CVE-2026-41137 / CVE-2026-41269 (Agent-node prompt-injection RCEs). Recommended minimum: 3.1.1 (CVE-2025-59528 follow-up hardening).

If any of those versions was reachable from the public internet (or from any network you don't fully trust), treat the host as compromised. Flowise stores upstream LLM provider keys — assume those keys, and any cloud-IAM credential wired into a chatflow, are exfiltrated.

IOCs

Type Value
CVE CVE-2025-59528 (CVSS 10.0, CustomMCP), CVE-2026-41265 (CVSS 9.2, Airtable), CVE-2026-41264, CVE-2026-41268, CVE-2026-41138, CVE-2026-40933, CVE-2026-41137, CVE-2026-41269
Affected versions < 3.0.6 (CVE-2025-59528); < 3.1.0 (Agent-node cluster)
Fixed version 3.0.6 (CVE-2025-59528 baseline) → upgrade to 3.1.1
GHSA (Airtable) GHSA-3gcm-f6qx-ff7p, GHSA-f228-chmx-v6j6
Active exploitation yes (April 2026, first VulnCheck telemetry from a Starlink IP)
Exposed instances ~12,000–15,000 on the public internet
Vulnerable nodes CustomMCP, Airtable_Agents, CSV_Agent, generic Agent nodes, File Upload
Vulnerable primitive eval/pickle/exec-style execution of LLM-generated code with no sandbox

If you are affected

  1. Upgrade immediately to Flowise 3.1.1 or later.
  2. Treat the host as compromised if it was internet-facing in any vulnerable version. Specifically: - Rotate every upstream LLM provider key stored in Flowise — OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Cohere, Mistral, Google. - Rotate every cloud IAM credential wired into a chatflow (Airtable PATs, GitHub PATs, AWS access keys, etc.). - Audit each provider's usage logs during the exposure window for unexpected request volume, model-arbitrage spend, or geographic shifts in caller IP.
  3. Bind Flowise off the public internet going forward (127.0.0.1 + auth-required reverse proxy, Tailscale, Cloudflare Tunnel, or VPC-only).
  4. Disable any unused Agent node in the deployment — every additional Agent-node class is a fresh prompt-injection-to-RCE primitive until further notice.
  5. Audit any chatflow definitions for attacker-injected nodes — an RCE that ran on your Flowise host could have rewritten the chatflow registry to plant a persistent backdoor.

Prevention

prevention/agent-sandboxing.mdprevention/credential-hygiene.md → Never expose an LLM-workflow-builder admin UI to the public internet — same rule as LiteLLM, Langflow, PraisonAI, Marimo. The default-bind for these tools should be 127.0.0.1. → Treat any "Agent node that runs LLM-generated code" as a prompt-injection-to-RCE primitive until the vendor provides a hard, audited sandbox boundary. The decorator/SDK annotation is documentation, not a security control. (Same pattern as Microsoft Semantic Kernel [KernelFunction].) → Treat disclosure-to-exploit as < 36 hours for any AI-workflow CVE; CVE-2025-59528 went exploited ~6 months after disclosure because attackers needed time to weaponize, but newer Agent-node CVEs will move faster now that the recipe is public.

Sources