🎯Basically, a flaw in Flowise lets hackers run commands on your computer remotely.
What Happened
A critical vulnerability has been discovered in Flowise and several AI frameworks, exposing millions of users to the risk of remote code execution (RCE). This flaw originates from the Model Context Protocol (MCP), a communication standard developed by Anthropic for AI agents. Unlike typical software bugs, this vulnerability is rooted in an architectural design decision, making it particularly dangerous.
Who's Affected
The vulnerability affects a wide range of platforms built on the MCP, including Flowise, which is a popular open-source AI workflow builder. With over 150 million downloads and approximately 200,000 vulnerable instances, the potential impact is massive, reaching thousands of servers and users across the ecosystem.
What Data Was Exposed
Attackers exploiting this vulnerability can execute arbitrary commands on affected systems, gaining access to sensitive user data, internal databases, API keys, and chat histories. During research, OX Security successfully executed live commands on six production platforms, demonstrating the severity of the flaw.
Technical Details
The vulnerability enables several types of attacks, including:
- Unauthenticated UI injection in popular AI frameworks.
- Hardening bypasses in environments like Flowise, even those with additional protections.
- Zero-click prompt injection in AI IDEs such as Windsurf and Cursor.
- Malicious MCP server distribution, where 9 out of 11 MCP registries were successfully poisoned.
What You Should Do
Security teams are urged to take immediate action to mitigate risks:
Containment
- 1.Block public internet exposure of AI services connected to sensitive APIs or databases.
- 2.Treat all external MCP configuration input as untrusted.
- 3.Install MCP servers only from verified sources like the official GitHub MCP Registry.
Remediation
- 4.Run MCP-enabled services inside sandboxed environments with minimal permissions.
- 5.Monitor AI agent tool invocations for unexpected outbound activity.
- 6.Update all affected services to their latest patched versions immediately.
Conclusion
Despite the alarming nature of this vulnerability, Anthropic has declined to implement protocol-level fixes, labeling the behavior as 'expected.' This decision leaves millions of users at risk, emphasizing the need for immediate protective measures by organizations utilizing affected platforms.
🔒 Pro insight: The architectural flaw in MCP underscores the need for rigorous security assessments in AI frameworks to prevent widespread exploitation.
