Hackers Are Now Targeting AI Workflow Tools. Your API Keys Are What They're After.

Everyone's focused on what AI can do for them. Nobody's talking about the fact that the platforms running your AI hold the keys to everything else in your stack.

TL;DR: Flowise, a popular open-source AI workflow builder, has a maximum-severity vulnerability (CVSS 10.0) that's being actively exploited right now. Attackers are using it to steal API keys for OpenAI, Anthropic, and AWS - then pivoting into cloud services and CI/CD pipelines. Between 12,000 and 15,000 instances are exposed. This is the second AI platform hit with a critical exploit in weeks, following Langflow's CISA emergency directive.

What's Happening?

On April 8, security researchers confirmed active exploitation of CVE-2025-59528 - a code injection vulnerability in Flowise. The vulnerability was disclosed back in September 2025. Attackers waited six months before deploying real-world attack payloads.

Here's the thing. Flowise isn't some obscure tool. It's a drag-and-drop AI workflow builder that connects to the same services you probably use - OpenAI, Anthropic, AWS. Between 12,000 and 15,000 instances are sitting on the open internet right now. The first confirmed attack came from a single Starlink IP address, deploying info stealers, reverse shells, and cryptominers.

Why This Matters to You

The attack isn't targeting Flowise itself. It's targeting what Flowise has access to.

Think of it kind of like a key rack by your front door. The rack itself isn't valuable - but every key hanging on it opens something that is. Your AI workflow platform stores API keys for OpenAI, Anthropic, AWS, and whatever else you've connected. Compromise the platform, and the attacker doesn't just get your AI workflows. They get lateral movement into your cloud services, your deployment pipelines, your storage.

Now here's what makes this worse. Two AI platforms, one week, two maximum-severity vulnerabilities. Langflow hit CISA's Known Exploited Vulnerabilities catalog with an April 8 deadline. Flowise is being actively exploited right now. The pattern is clear - AI agent platforms are becoming a target class, not isolated incidents.

What Should You Do Right Now?

If you're running Flowise, check your version immediately. If you're exposed, update or take it offline.

Audit every API key stored in any AI workflow tool you use. Rotate keys that have been sitting in platforms connected to the internet.

Set spending caps on every API account - OpenAI, Anthropic, all of them. If an attacker gets your key, a spending cap is the difference between a bad day and a devastating bill.

If you're self-hosting OpenClaw or any AI platform, ask yourself: what keys does this thing have access to? That's your actual attack surface.

That's the immediate threat. But here's the bigger picture nobody in the creator space is covering yet: AI platforms are becoming the new target class. Two max-severity hits in one week isn't a coincidence - it's a pattern. And if you're running any AI agent platform, the question isn't whether your tool has a vulnerability. It's what your tool has access to when it does.