AI Threat Alert

CVE-2025-59434: Flowise Cloud: cross-tenant env var exposure leaks API keys

CRITICAL PoC AVAILABLE CISA: TRACK*
Published September 22, 2025
CISO Take

Any free-tier Flowise Cloud account could access environment variables from ALL other tenants — including OpenAI keys, AWS credentials, and database tokens — with no special skill required. If your org stored API keys or cloud credentials in Flowise Cloud before August 2025, treat them as compromised and rotate immediately. Patch to August 2025 release and audit which secrets were ever stored in the platform.

What is the risk?

Critical (CVSS 9.6). Network-exploitable with near-zero barrier: a free account (no payment, no vetting) is sufficient to trigger the exploit with low complexity and no user interaction. The Scope:Changed designation means blast radius extends across ALL tenants on the shared platform. The combination of trivial exploitation, free entry cost, and high-value targets (cloud credentials enabling lateral movement into AWS/GCP production) makes this an immediate P0. Exploitation likely leaves minimal traces in standard application logs, increasing dwell time before detection.

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
3.1%
chance of exploitation in 30 days
Higher than 86% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A None

What should I do?

6 steps

  1. IMMEDIATE

    Rotate ALL credentials stored in Flowise Cloud environment variables — OpenAI keys, AWS/GCP service account credentials, Supabase tokens, and any third-party API keys. Assume compromised if stored before August 2025.

  2. Update to August 2025 Cloud-Hosted Flowise (patched).

  3. Audit Flowise Cloud access logs for Custom JavaScript Function node usage from free-tier accounts prior to patch date.

  4. Forward-looking: use secrets management services (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) instead of platform env vars for all AI tooling.

  5. Enforce least-privilege on all service accounts used with Flowise — scope down IAM roles and API key permissions.

  6. Enable anomaly alerts on OpenAI and cloud provider usage dashboards to detect ongoing abuse of already-exfiltrated credentials.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Privacy Violation Framework API Agent AML.T0048.000 AML.T0049 AML.T0050 AML.T0055 AML.T0083 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk management process A.7.3 - Information security in AI systems
NIST AI RMF
GOVERN 6.1 - Organizational risk tolerance for AI is established MANAGE 2.2 - Mechanisms for treatment of AI risks are monitored and applied
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-59434?

Any free-tier Flowise Cloud account could access environment variables from ALL other tenants — including OpenAI keys, AWS credentials, and database tokens — with no special skill required. If your org stored API keys or cloud credentials in Flowise Cloud before August 2025, treat them as compromised and rotate immediately. Patch to August 2025 release and audit which secrets were ever stored in the platform.

Is CVE-2025-59434 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-59434, increasing the risk of exploitation.

How to fix CVE-2025-59434?

1. IMMEDIATE: Rotate ALL credentials stored in Flowise Cloud environment variables — OpenAI keys, AWS/GCP service account credentials, Supabase tokens, and any third-party API keys. Assume compromised if stored before August 2025. 2. Update to August 2025 Cloud-Hosted Flowise (patched). 3. Audit Flowise Cloud access logs for Custom JavaScript Function node usage from free-tier accounts prior to patch date. 4. Forward-looking: use secrets management services (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) instead of platform env vars for all AI tooling. 5. Enforce least-privilege on all service accounts used with Flowise — scope down IAM roles and API key permissions. 6. Enable anomaly alerts on OpenAI and cloud provider usage dashboards to detect ongoing abuse of already-exfiltrated credentials.

What systems are affected by CVE-2025-59434?

This vulnerability affects the following AI/ML architecture patterns: Multi-tenant LLM pipeline platforms, Agent frameworks, LLM orchestration layers, Cloud-hosted AI workflow builders, No-code/low-code AI automation platforms.

What is the CVSS score for CVE-2025-59434?

CVE-2025-59434 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 3.15%.

What is the AI security impact?

Affected AI Architectures

Multi-tenant LLM pipeline platformsAgent frameworksLLM orchestration layersCloud-hosted AI workflow buildersNo-code/low-code AI automation platforms

MITRE ATLAS Techniques

AML.T0048.000 Financial Harm
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2, A.7.3
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This includes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets — resulting in a full cross-tenant data exposure. This issue has been patched in the August 2025 Cloud-Hosted Flowise.

Exploitation Scenario

Adversary registers a free-tier Flowise Cloud account — no payment or verification required. They create a flow containing a Custom JavaScript Function node and inject JavaScript to enumerate cross-tenant environment variables (e.g., reading process.env and serializing all key-value pairs). Due to missing tenant isolation in the serverless/container execution environment, the script returns environment variables belonging to other tenants. Adversary systematically harvests these, then executes in parallel: (a) runs unauthorized LLM inference at victim's cost using stolen OpenAI keys, (b) uses stolen AWS access keys to enumerate S3 buckets and EC2 instances for data exfiltration or ransomware staging, (c) accesses victim databases via stolen Supabase connection strings. The entire attack requires only a free account and basic JavaScript — realistic for opportunistic threat actors and financially motivated groups.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE-284 Improper Access Control

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Timeline

Published
September 22, 2025
Last Modified
April 15, 2026
First Seen
September 22, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed