Critical Vulnerability in Flowise Exposes Millions to Remote Code Execution
A critical security flaw has been identified in Flowise and several other AI frameworks, potentially exposing millions of users to remote code execution (RCE) attacks. This vulnerability originates from the Model Context Protocol (MCP), a communication standard developed by Anthropic for AI agents.
Understanding the MCP Vulnerability
Unlike typical software bugs, this issue is rooted in the architectural design of Anthropic’s official MCP Software Development Kits (SDKs), which are implemented across multiple programming languages, including Python, TypeScript, Java, and Rust. Developers utilizing these SDKs inadvertently inherit this vulnerability, thereby expanding the attack surface across the entire AI supply chain.
Implications of the Flaw
The flaw enables attackers to execute arbitrary commands on affected systems, granting unauthorized access to sensitive user data, internal databases, API keys, and chat histories. During their research, OX Security successfully executed live commands on six production platforms, with Flowise—a widely used open-source AI workflow builder—being notably impacted.
Exploitation Techniques
Researchers identified a hardening bypass attack vector against Flowise, demonstrating that even environments configured with additional security measures remain susceptible through MCP adapter interfaces. The broader impact is significant: over 150 million downloads, more than 7,000 publicly accessible servers, and an estimated 200,000 vulnerable instances across the ecosystem. At least ten Common Vulnerabilities and Exposures (CVEs) have been issued, covering critical vulnerabilities in platforms such as LiteLLM, LangChain, GPT Researcher, Windsurf, DocsGPT, and IBM’s LangFlow.
Four distinct exploitation methods have been confirmed:
1. Unauthenticated User Interface (UI) injection in popular AI frameworks.
2. Hardening bypasses in protected environments like Flowise.
3. Zero-click prompt injection in AI Integrated Development Environments (IDEs) such as Windsurf and Cursor.
4. Malicious MCP server distribution, with 9 out of 11 MCP registries successfully compromised during testing.
Anthropic’s Response
OX Security recommended root-level patches to Anthropic to protect millions of downstream users. However, Anthropic declined, characterizing the behavior as expected. The company did not object when notified of the researchers’ intent to publish their findings.
Recommended Actions
Security teams are urged to take immediate action:
– Block public internet exposure of AI services connected to sensitive APIs or databases.
– Treat all external MCP configuration input as untrusted and restrict user input from reaching StdioServerParameters.
– Install MCP servers only from verified sources, such as the official GitHub MCP Registry.
– Run MCP-enabled services inside sandboxed environments with minimal permissions.
– Monitor AI agent tool invocations for unexpected outbound activity.
– Update all affected services to their latest patched versions immediately.
OX Security has implemented platform-level protections for its customers, flagging STDIO MCP configurations that include user input as actionable remediation findings.
