CVSS 10.0 RCE in Flowise AI Builder: Why Your AI Agents Are The Ultimate Attack Vector

The rush to deploy autonomous AI agents has created a massive, unmanaged attack surface. Today’s critical vulnerability in Flowise - a massively popular open-source orchestration tool for building LLM apps - proves exactly why traditional security testing is failing the AI era.

A CVSS 10.0 Remote Code Execution (RCE) vulnerability has been discovered in the Flowise CustomMCP node, leaving over 12,000 internet-facing instances exposed to complete server takeover by unauthenticated attackers.

Here is exactly how the exploit works, why AI orchestration layers are the new high-value target for threat actors, and why annual penetration testing is fundamentally incapable of securing the agentic enterprise.

The Exploit: Unauthenticated Code Execution via CustomMCP

Flowise provides a drag-and-drop UI to build customized LLM flows, connect to vector databases, and deploy AI agents. Because it acts as the "brain" orchestrating these agents, it requires deep access to internal systems, databases, and high-value API keys (OpenAI, Anthropic, AWS).

The vulnerability centers around the CustomMCP (Model Context Protocol) node. Attackers can bypass authentication entirely and inject arbitrary JavaScript code directly onto the Flowise host server.

The Full Scope of Exploitation

Once an attacker achieves RCE on a Flowise instance, the impact extends far beyond the AI application itself. The attacker gains:

• Credential Harvesting: Direct access to the environment variables storing OpenAI, Pinecone, and AWS API keys.
• Agent Poisoning: The ability to silently alter the system prompts, logic, or RAG data of the AI agents, turning an internal customer service bot into an outbound phishing or data exfiltration engine.
• Lateral Movement: Because Flowise instances are often deployed internally alongside core databases to feed RAG pipelines, an attacker can use the compromised server as a beachhead to pivot into the wider enterprise network.

Threat intelligence feeds currently show tens of thousands of Flowise services exposed to the public internet, making this a highly targetable zero-day for automated scanning botnets.

Remediation and Mitigation Strategies

1. Patch Immediately: Upgrade Flowise to version 3.0.5 or newer immediately. This patches the known RCE vectors (CVE-2025-59528 / CVE-2025-61913).
2. Network Segmentation: Never expose Flowise instances directly to the public internet unless absolutely necessary. Place them behind a WAF or VPN.
3. Assume Compromise: If your Flowise node was exposed, rotate all API keys (OpenAI, AWS, Pinecone) attached to the instance immediately. Check logs for unusual outbound connections or modifications to existing flows.

A New Paradigm of Security for AI Agents

The Flowise RCE highlights a structural failure in how enterprises approach Application Security (AppSec) in the age of AI.

When an engineering team deploys a new LangChain or Flowise orchestration node, a traditional Static Application Security Testing (SAST) scanner will often fail to contextualize the risk. Furthermore, the traditional enterprise compliance model - relying on a manual, point-in-time penetration test once a year to satisfy an auditor - is entirely inadequate. A manual pentest conducted in January will not catch an unauthenticated RCE zero-day introduced into an AI orchestration node in April.

To secure agentic infrastructure, security teams must shift away from point-in-time consulting and adopt Continuous Agentic Penetration Testing (PTaaS). When a vulnerable node like Flowise is spun up or modified, an autonomous offensive engine immediately maps the attack surface, actively attempts to exploit the logic flaws, and proves the vulnerability exists before it reaches production.

If your enterprise is deploying AI agents, your security testing must operate at machine speed.