CVE-2025-71337

HIGH8.7

Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected products

Flowise / Flowise0 – 3.0.10
Flowise / Flowise3.0.10 – 3.0.10

References

VENDOR_ADVISORYhttps://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4
VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint

Updated 9m ago · 2 sources