A drag-and-drop AI agent builder used by tens of thousands of teams is now the third low-friction RCE surface to land on the active-exploitation list this year. On April 7, 2026, The Hacker News reported that threat actors are weaponizing CVE-2025-59528, a CVSS 10.0 code-injection flaw in Flowise, against more than 12,000 internet-facing instances — most of them running with default Node.js privileges and no execution sandbox.
The flaw, in one line
CVE-2025-59528 lives in Flowise’s CustomMCP node, a feature that lets builders drop arbitrary JavaScript into an agent’s tool-call surface. Per the disclosure credited to researcher Kim SooHyun, the node executes that JavaScript with no isolation and full access to high-risk Node.js modules including child_process and fs. A successful exploit is therefore not the limited “code-in-sandbox” outcome that AI tooling vendors often disclaim — it is full operating-system command execution, file-system read and write, and unconstrained outbound network access. The vendor patched the issue in version 3.0.6 of the npm package, with the original advisory dating back to September 2025.
What the campaigns are doing
The Hacker News reports active exploitation traffic from a single Starlink IP, which is a tell that someone has tooled this up for opportunistic mass coverage rather than a targeted campaign. The 12,000-instance figure matters because Flowise is positioned as a low-code workflow canvas — the kinds of teams that ship Flowise to a public hostname tend to be experimental data-science groups and side-of-desk AI projects, not platform engineering. Those are the deployments least likely to have egress filtering, runtime telemetry, or rotation discipline on whatever credentials the agent has been granted.
This is also the third Flowise flaw to see in-the-wild exploitation in the past seven months, after CVE-2025-8943 (CVSS 9.8) and CVE-2025-26319 (CVSS 8.9). A single project hitting that cadence is no longer a coincidence — it is a structural signal about how AI agent platforms are written and operated.
What this means
Three implications for defenders.
First, “AI agent builder” is now a high-value attack class on its own. The Flowise pattern — a public-facing canvas that lets users wire arbitrary JavaScript or shell-equivalent steps into an agent — is repeated across LangFlow, Dify, n8n’s AI nodes, and other workflow tools. A custom-code node with no execution boundary is an RCE primitive shipped as a feature.
Second, the cadence on these CVEs now matches edge web infrastructure: hours from advisory to active exploitation. If you run a Flowise instance, treat 3.0.6 as an emergency patch and assume any host that was on a vulnerable version while internet-reachable should be examined for post-exploitation artifacts. Pull child_process invocations, audit any service-account credentials that the host could have reached, and review outbound traffic to commodity dynamic-DNS endpoints.
Third, the budget conversation needs to change. AI tooling that can be pointed at production data with a click of an OAuth flow does not deserve “experimental” operational status. Inference servers, MCP servers, and agent canvases should be patched, monitored, and credential-rotated on the same cadence as the perimeter — because that is exactly how attackers are treating them.
