Technical description
Active exploitation of a maximum-severity (CVSS 10.0) code injection vulnerability in Flowise's CustomMCP node was confirmed in early April 2026 by VulnCheck researchers. Despite being patched in September 2025 (version 3.0.6), 12,000–15,000 instances remain exposed online. The vulnerability allows JavaScript code execution during MCP server configuration parsing without security validation.
Attack vector
Attackers inject malicious code through the CustomMCP node configuration, gaining access to child_process (command execution) and fs (file system) with full Node.js runtime privileges. Flowise instances typically hold API keys for OpenAI, Anthropic, Azure OpenAI, and credentials for databases and internal systems.
Affected systems
Flowise versions prior to 3.0.6. All organisations using Flowise for AI agent workflows with MCP server integrations are at risk.
Mitigation
Upgrade Flowise to version 3.0.6 or later immediately. Audit exposed Flowise instances for compromise indicators. Rotate all API keys and credentials stored in Flowise. Restrict Flowise instances from public internet exposure.