Technical description
A code injection vulnerability in Flowise's CustomMCP Node allows remote attackers to execute arbitrary code without authentication. The CustomMCP node parses user-provided mcpServerConfig strings without security validation, enabling access to dangerous Node.js modules including child_process (command execution) and fs (file system access) with full runtime privileges. First confirmed in-the-wild exploitation was detected from a Starlink IP in early April 2026; between 12,000–15,000 unpatched instances remain reachable on the internet. Critically, Flowise instances typically hold API keys for OpenAI, Anthropic, Azure OpenAI, and other LLM providers — successful exploitation grants access to all downstream AI services.
Attack vector
Unauthenticated remote attacker sends a crafted HTTP request to the CustomMCP node endpoint with a malicious mcpServerConfig payload. No credentials or prior access required. Exploitation gives full system command execution and access to all secrets stored in the Flowise instance.
Affected systems
Flowise versions prior to 3.1.1. Any deployment of Flowise that exposes the CustomMCP node to untrusted input.
Mitigation
Upgrade to Flowise version 3.1.1 immediately. Audit exposed instances for indicators of compromise (unusual outbound connections, unexpected API calls to LLM providers). Rotate all API keys stored in compromised or potentially-compromised Flowise instances. Do not expose Flowise admin interfaces to the public internet without authentication controls.