Flowise, AI agents collapse: Apr-May 2026 AI Sec Watch intel briefing

Dear friends and colleagues,

April brought a lot of critical vulnerabilities across AI platforms, frameworks, and tooling. Attackers have already exploiting several flaws in the wild. The theme is repeatable: poorly sandboxed AI agents, unvalidated configuration interfaces, and fragile authentication boundaries are giving attackers trivial paths to full system compromise.

AI workflow platforms are collapsing under basic injection attacks

Flowise suffered failures across nearly every surface. Five separate CVEs disclosed this month revealed unauthenticated remote code execution through command injection, password reset bypass without token verification, credential exposure via public APIs, and unsafe deserialization in agent nodes. CVE-2026-41268 stands out: attackers can gain full system control through a single HTTP request by exploiting the FILE-STORAGE keyword and NODE_OPTIONS environment variable injection, with no login required. Worse, CVE-2025-59528 (CVSS 10.0) is being actively exploited against thousands of exposed instances, allowing arbitrary JavaScript injection through the Custom MCP node. Other Cypher injection flaws in GraphCypher, CSV, and Airtable nodes allow attackers to manipulate databases or execute Python code via prompt injection. All flaws are patched in version 3.1.0, but the fact that so many critical weaknesses existed simultaneously points to systemic design failures.

n8n shipped two prototype pollution vulnerabilities in its XML parser and webhook handler, both leading to RCE for authenticated users. PraisonAI exhibited similar fragility: its command executor passes user-controlled input directly to subprocess.run() with shell=True, enabling OS command injection through YAML workflows and LLM-generated tool calls. A sandbox escape via exception frame traversal allows attackers to access Python builtins and bypass restrictions entirely. Paperclip let unauthenticated attackers achieve full RCE through six API calls, while a cross-tenant authorization bypass allowed any logged-in user to mint API tokens for agents belonging to other companies. LiteLLM had a SQL injection flaw in proxy key verification, exploitable by unauthenticated attackers via crafted authorization headers.

The Model Context Protocol is becoming an attack vector

Anthropic's MCP, designed to let AI models interact with external tools, is now a recurring threat surface. Researchers disclosed that MCP's architectural design enables RCE across thousands of servers, with vulnerabilities found in LangChain, LiteLLM, and other popular projects. Anthropic declined to fix the underlying issue, leaving developers responsible for securing their implementations. nginx UI added an unprotected /mcp_message endpoint to support MCP, allowing anyone to bypass authentication and inject malicious configurations to take over web servers. CVE-2026-30617 in LangChain-ChatChat 0.3.1 permits RCE through malicious MCP STDIO server configurations. I think the rush to integrate MCP without understanding its security model has created a new class of systemic risk.

Code execution flaws in developer tooling are getting exploited faster

Google's Gemini CLI had a maximum-severity flaw (CVSS 10.0) enabling RCE in CI/CD environments by automatically trusting workspace configurations without verification, allowing attackers to inject code that executes before security checks. Patched in versions 0.39.1 and 0.40.0-preview.3, the fix now requires explicit folder trust and enforces tool allowlisting even under auto-approve mode. Cursor IDE before version 2.5 could execute malicious Git hooks embedded in attacker-controlled repositories when its AI agent performed routine operations. Windsurf 1.9544.26 has a prompt injection vulnerability that lets attackers auto-register malicious MCP STDIO servers to execute commands when processing attacker-controlled HTML. Anthropic's Claude CLI executes authentication helpers with shell=True without validation, allowing credential theft via injected shell metacharacters. Marimo is being actively exploited for pre-authentication RCE, now listed on CISA's Known Exploited Vulnerabilities catalog.

Supply chain and infrastructure vulnerabilities expose backend secrets

Ollama for Windows has two critical flaws: its update mechanism lacks signature verification and uses untrusted HTTP headers to build file paths, enabling attackers to write malicious executables to the Windows Startup folder via path traversal. QnABot on AWS (CVE-2026-7191) allows administrators to execute arbitrary code by exploiting improper static-eval usage, granting access to databases and environment variables. FastGPT before 4.14.9.5 has a NoSQL injection flaw that lets unauthenticated attackers log in as any user by sending database operators instead of passwords. Keras 3.13.0 loads external TensorFlow SavedModels without validation even in safe_mode, enabling attackers to run code when a model is loaded. Hugging Face LeRobot has an unpatched RCE flaw (CVE-2026-25874, CVSS 9.3) from unsafe pickle deserialization over unencrypted connections; a fix is planned for version 0.6.0 but requires substantial refactoring. Cohere's Terrarium sandbox (CVE-2026-5752, CVSS 9.3) allows root-level code execution and container escape via JavaScript prototype chain traversal, with no patch coming since the project is abandoned.

Authentication bypasses and data exposure continue

Microsoft 365 Copilot has an open redirect vulnerability (CVE-2026-33102) that enables privilege escalation over a network. text-generation-webui before 4.1.1 let users overwrite critical Python files with malicious extension settings. IBM Langflow Desktop versions 1.0.0 through 1.8.4 has three vulnerabilities: code injection enabling arbitrary command execution, an authorization bypass letting unauthenticated users view other users' images, and inadequate permission checks. n8n-mcp bypassed SSRF protections using IPv4-mapped IPv6 addresses, allowing attackers to force the server to request cloud metadata endpoints and private services. Jupyter Notebook has a stored XSS flaw via CommandLinker that steals authentication tokens when users click fake controls in malicious notebooks; patched in version 7.5.6. ChatGPTNextWeb NextChat 2.16.1 and earlier have an improper authorization flaw that is exploitable remotely without authentication, though no response from developers yet. marked@18.0.0 crashes Node.js applications via infinite recursion triggered by three special characters, causing out-of-memory denial of service.

I think we continue to see the consequence of building AI platforms faster than we understand their attack surfaces, as I already mentioned many times throughout. The pattern is consistent with three components I list here:

1. configuration interfaces that trust user input.
2. sandboxes that fail under basic evasion techniques
3. authentication boundaries that collapse when probed.

Many of these flaws are trivial to exploit once discovered, yet they sit in production code powering thousands of deployments. The velocity of exploitation is increasing. Flowise, nginx UI, and Marimo all saw active attacks within weeks of disclosure. If you run any of these platforms, AI Sec Watch has the full technical details and mitigation guidance.

— Jack