The Numbers
On June 25, 2026, two of the most widely deployed AI workflow platforms disclosed a combined 17 critical and high-severity vulnerabilities. n8n, the open-source workflow automation platform increasingly used as an AI agent orchestration layer, published 11 CVEs. Flowise, the drag-and-drop LLM application builder built on LangChain, published 6 CVEs. Both disclosures include CVSS 10.0 vulnerabilities. Both have MCP endpoints as their most dangerous attack vectors.
The MCP Problem
The Model Context Protocol (MCP) is the emerging standard for letting AI agents interact with external tools, databases, and services. Both n8n and Flowise have implemented MCP endpoints to let AI models trigger workflows, access data, and control browsers. These MCP endpoints are now the most dangerous attack vectors in both platforms.
CVE-2026-54309, the n8n CVSS 10.0, is an unprotected MCP endpoint that gives unauthenticated attackers browser-control capabilities. No login required. No API key. An attacker who can reach the endpoint gets the same browser automation capabilities the AI agent was designed to have. The AI agent's power becomes the attacker's power.
CVE-2025-71336, a Flowise CVSS 9.8, enables unsandboxed remote code execution through the Custom MCP feature. The very mechanism designed to let AI agents interact with tools is the attack vector. A crafted JSON payload achieves arbitrary code execution on the server. CVE-2025-71338, Flowise's CVSS 10.0, chains a path traversal through the document-store endpoint into arbitrary file write and remote code execution.
n8n: The Full Picture
Beyond the MCP endpoint, n8n's disclosure reveals systemic security gaps across its integration layer. CVE-2026-54310 (CVSS 9.9) is SQL injection in the TimescaleDB and Postgres nodes — the database connectors that AI workflows use to read and write production data. CVE-2026-44789 (CVSS 9.9) is global prototype pollution via the HTTP Request node's pagination feature, affecting every workflow that makes paginated API calls.
CVE-2026-44791 (CVSS 9.9) is a patch bypass. n8n previously fixed CVE-2026-42232, an XML node RCE vulnerability. The new CVE circumvents that fix and restores the same RCE capability through a different vector. This fix-break-fix pattern is characteristic of rapidly evolving AI tooling where features ship faster than security reviews can keep pace.
CVE-2026-54311 (CVSS 7.7) enables sandbox context pollution — cross-user data interception in multi-tenant deployments. In environments where multiple teams share an n8n instance, one user's workflow can intercept another's data. For enterprises using n8n as a shared AI orchestration platform, this is a data isolation failure.
Flowise: The Accessible Danger
Flowise markets itself as the easiest way to build LLM-powered applications. Its drag-and-drop interface means non-developers deploy it. Its documentation emphasises quick setup and visual workflow building. This accessibility is also its security problem: the people deploying Flowise are the least likely to audit its security posture.
CVE-2025-71327 (CVSS 9.1) is an authentication bypass via an unprotected account registration endpoint. If the /api/v1/account/register endpoint is reachable, anyone can create an admin account. CVE-2026-56270 (CVSS 7.5) exposes SSO configuration including OAuth client secrets in cleartext. CVE-2026-56275 (CVSS 7.5) enables SSRF through the Execute Flow node, potentially reaching cloud metadata services (169.254.169.254) and stealing IAM credentials.
The Broader Pattern
These 17 vulnerabilities are not isolated incidents. They follow a pattern WebPulse has been tracking: AI agent infrastructure is being deployed with security models designed for internal tools, not internet-facing attack surfaces. n8n was built as a workflow automation tool. Flowise was built as a prototyping platform. Both are now being deployed as production AI agent infrastructure by enterprises — exposed to the internet, connected to production databases, and granted browser control capabilities.
This week's GitHub Advisory Database also showed vulnerabilities in LangGraph (unsafe deserialization in checkpoint loading), Amazon Braket SDK (pickle.loads on untrusted S3 data), and GitHub's own MCP Server (cross-user client confusion). The AI infrastructure layer is accumulating vulnerabilities faster than the web framework layer it is built on. WebPulse's framework scores measure what is running. These CVEs reveal what is orchestrating it.
What Organisations Should Do
If you are running n8n: update immediately. If your n8n instance is internet-accessible with MCP endpoints enabled, assume compromise until you can verify otherwise. The CVSS 10.0 requires no authentication. If you are running Flowise: update, and audit whether the registration endpoint was ever reachable from outside your network.
More broadly: treat AI workflow platforms with the same security rigour as databases. They have equivalent access to production data, equivalent ability to execute code, and — as of this week — a demonstrated equivalent vulnerability profile. The label 'AI tool' does not exempt software from security review. If anything, the MCP pattern — granting AI agents the ability to control browsers, execute code, and access databases — means these platforms need more scrutiny than traditional web applications, not less.
