A major security vulnerability has been identified in Flowise and several widely used AI frameworks, putting millions of users at risk of remote code execution (RCE). The issue was discovered by OX Security and is linked to the Model Context Protocol (MCP), a communication standard for AI agents developed by Anthropic.
Unlike a typical software bug, the vulnerability originates from a core architectural design within MCP’s official SDKs across Python, TypeScript, Java, and Rust. This means developers building on MCP may unknowingly inherit the risk, extending the threat across the broader AI ecosystem rather than a single platform.
The flaw allows attackers to execute arbitrary commands on affected systems. This can lead to unauthorized access to sensitive data, including internal databases, API keys, and chat histories. During testing, OX Security successfully executed live commands on 6 production platforms, with Flowise identified as one of the most impacted.
Researchers also uncovered a “hardening bypass” in Flowise, showing that even environments with added security controls can be compromised through MCP adapter interfaces.
The scale of the exposure is significant. The vulnerability impacts systems tied to over 150 million downloads, more than 7,000 publicly accessible servers, and an estimated 200,000 vulnerable instances. At least 10 CVEs have been issued across affected platforms, including LiteLLM, LangChain, GPT Researcher, Windsurf, DocsGPT, and IBM’s LangFlow.
Four key exploitation methods have been confirmed:
- Unauthenticated UI injection in AI frameworks
- Hardening bypasses in protected environments like Flowise
- Zero-click prompt injection in AI IDEs such as Windsurf and Cursor
- Malicious MCP server distribution, with 9 out of 11 MCP registries compromised during testing
OX Security recommended root-level fixes to Anthropic that could have mitigated risks for millions of users. However, the company classified the behavior as “expected” and did not oppose the public disclosure of findings.
Security teams are advised to act immediately by limiting public exposure of AI services, treating MCP inputs as untrusted, installing MCP servers only from verified sources like GitHub registries, running services in sandboxed environments, monitoring tool activity, and updating all systems to the latest patched versions.
OX Security has also introduced platform-level protections, flagging risky MCP configurations that include user input as actionable security issues.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
