Flowise Vulnerability Enables Remote Command Execution

Researchers at OX Security disclosed a systemic, architecture-level vulnerability in the Model Context Protocol, referenced as MCP, that enables unauthenticated remote command execution through poorly validated MCP adapters. The flaw allows injection of malicious JavaScript and protocol messages that escalate to Arbitrary Command Execution (RCE), impacting Flowise and a chain of AI frameworks and tools. A high-profile instance is CVE-2025-59528, assigned CVSS 10.0, and reports indicate active exploitation and a large blast radius across public and private deployments.

The vulnerability arises from how MCP serializes and dispatches model context and adapter messages without sufficiently validating or sanitizing executable payloads. Attackers can leverage multiple exploitation vectors including unauthenticated UI injections, zero-click prompt injections in IDEs, and marketplace/package poisoning to inject payloads. Affected components include official MCP SDKs implemented in Python, Rust, Java, and TypeScript, and multiple downstream projects. Researchers enumerated several concrete CVEs across products, notably:

• •CVE-2025-59528 (Flowise, RCE, CVSS 10.0)
• •CVE-2025-65720 (GPT Researcher, unauthenticated UI injection)
• •CVE-2026-30624 (Agent Zero)
• •CVE-2026-30618 (Fay Framework)
• •CVE-2026-30617 (Langchain-Chatchat)

Some vulnerabilities have already been patched, for example in LiteLLM and Bisheng, while others remain open or under active attack.

This is not a classical coding bug limited to a single repo; it is a protocol and adapter design choice that lets executable content traverse trust boundaries. That design makes downstream hardening difficult because developers implicitly inherit execution semantics when they adopt MCP adapters or SDKs. The result is a supply-chain style blast radius: researchers estimate large-scale exposure, citing usage metrics in the tens to hundreds of thousands of instances and package ecosystems with more than 150 million cumulative downloads across components.

• •Patch first: Prioritize vendor patches and fixed releases for your dependencies. Apply updates for Flowise and any affected frameworks immediately.
• •Isolate adapters: Disable or remove untrusted MCP adapters and connectors until they are verified patched.
• •Egress and process control: Enforce network egress restrictions, container runtime policy, and disallow arbitrary shell execution from agent runtimes.
• •Secrets rotation: Rotate API keys, service tokens, and any credentials stored alongside agent contexts.
• •Audit and detection: Search code and infra for MCP usage, identify public endpoints, and monitor for anomalous process spawns, file writes, and unexpected outbound connections.

The vulnerability illustrates a new class of risk born from protocol-level trust assumptions in AI agent ecosystems. As agent orchestration and adapter ecosystems grow, implicit execution semantics create a high-risk supply chain that spans models, SDKs, developer tools, and marketplaces. This incident joins other systemic AI supply-chain incidents and will pressure protocol authors and platform vendors to harden message semantics, adopt allowlisting, and treat adapter inputs as untrusted by default. Reports indicate some vendors resist wholesale protocol redesigns, increasing urgency for downstream mitigations.

Track vendor advisories and CVE updates for your stack, verify patches in all MCP SDK languages, and expect coordinated disclosures and hardened adapter specifications. Long term, teams should demand explicit execution contracts from protocol authors and prefer adapter patterns that separate data from executable content.