CVE-2025-71328

HIGH8.7

Description

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected products

Flowise / Flowise0 – 3.0.10
Flowise / Flowise3.0.10 – 3.0.10

References

VENDOR_ADVISORYhttps://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch
VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/flowise-unverified-password-change-via-account-settings

Updated 9m ago · 2 sources