Flowise RCE CVE: 12,000+ Instances Under Attack

Flowise RCE Vulnerability Is Being Actively Exploited Right Now

A critical remote code execution vulnerability in Flowise, the popular open-source AI agent builder, has been assigned a CVSS score of 10.0 and is under active exploitation. Over 12,000 publicly reachable Flowise instances have been identified as exposed, making this one of the most urgent unpatched attack surfaces in the AI tooling ecosystem right now. If your team runs Flowise to build or deploy LLM-based pipelines, this is not a background risk. Attackers are already scanning and hitting live targets.

The flaw allows unauthenticated remote code execution, meaning an attacker does not need credentials, a session token, or any prior foothold. They send a crafted request, and they get code execution on the host. That is the worst possible combination for any internet-facing service.

How the Flowise RCE Attack Works

Flowise exposes an API surface for building and executing AI agent workflows. The vulnerability exists in how Flowise handles certain input passed to its execution engine. Attackers can inject malicious payloads through specific API endpoints that bypass authentication checks entirely and reach an execution context with sufficient privileges to run arbitrary commands on the underlying server.

Because Flowise is often deployed in developer environments, CI pipelines, and internal tooling setups, many instances run with elevated system permissions. That amplifies the blast radius significantly. A successful exploit does not just expose the Flowise application. It potentially exposes the entire host, any secrets stored in environment variables, connected cloud credentials, and downstream services the server communicates with.

Shodan and similar scanning tools have confirmed more than 12,000 instances are directly reachable over the public internet. Many of these are running without authentication layers, reverse proxies, or network egress controls.

What Developers and Teams Are Actually Risking

The impact here goes beyond a single compromised service. Teams building AI agents with Flowise frequently connect the tool to OpenAI keys, database credentials, internal APIs, and cloud provider tokens. All of that is reachable once an attacker has code execution on the host.

Lateral movement becomes straightforward. An attacker who pops a Flowise instance with access to AWS credentials via environment variables can pivot to S3 buckets, EC2 instances, or IAM roles depending on how permissive those credentials are. The human response window in these scenarios has collapsed. Automated exploitation chains can move from initial access to credential exfiltration in minutes, not hours.

How to Protect Your Flowise Deployment

Patch immediately. Check the Flowise GitHub releases for the latest version that addresses this CVE and deploy it now.

If you cannot patch right away, restrict access. Put Flowise behind a VPN or authenticated reverse proxy. Block all public internet access to the Flowise port at the firewall or security group level. This is not optional while the patch is pending.

Audit your environment variables. Rotate any API keys, cloud credentials, or database passwords that were accessible to the Flowise process. Assume those credentials are compromised if your instance was publicly exposed.

Run a targeted scan against your Flowise endpoints using an automated scanner like VibeWShield to verify whether your deployment exhibits the vulnerable behavior before and after patching.

Implement network egress filtering on the host running Flowise. Even if an attacker achieves RCE, outbound connection restrictions can limit their ability to exfiltrate data or establish reverse shells.

Check your logs for anomalous API requests to Flowise endpoints, particularly any unexpected POST bodies or requests hitting execution-related routes from unfamiliar IP ranges.

How do I know if my Flowise instance is vulnerable? Check your current Flowise version against the patched release on GitHub. If you are running a version prior to the fix and your instance is internet-accessible without an auth layer, treat it as compromised and patch immediately.

Can a WAF block this exploit? Possibly, but not reliably. WAF rules are signature-dependent and attackers routinely obfuscate payloads. Network-level access restriction and patching are the only dependable mitigations.

What should I do if I think I was already exploited? Isolate the host, rotate all credentials that were accessible to the Flowise process, pull and inspect your logs, and treat the system as compromised. Rebuild from a clean image after patching.

Scan your Flowise and AI tool endpoints now for RCE exposure at VibeWShield.