Description
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise exposes an authentication bypass via the unprotected /api/v1/account/register endpoint, enabling attackers to create user accounts without credentials. This flaw, classified as CWE-306, provides full API access to the attacker once the forged account is created, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The affected product is Flowise by Flowise, specifically version 3.0.1.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity and shows that the vulnerability is exploitable remotely over standard HTTP(S). No EPSS score is available, and it is not listed in the CISA KEV catalog. Remote attackers can craft a request to the registration endpoint to create arbitrary accounts and immediately authenticate, bypassing all standard identity checks.

Generated by OpenCVE AI on June 25, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Flowise release that removes the unprotected registration endpoint.
  • If an immediate update is not possible, block the /api/v1/account/register URL for all external traffic using a firewall or reverse proxy.
  • Implement a pre‑authorization check or require an administrative API key before creating new accounts.

Generated by OpenCVE AI on June 25, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.
Title Flowise - Authentication Bypass via Unprotected Registration Endpoint
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-306
CPEs cpe:2.3:a:flowiseai:flowise:3.0.1:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T21:41:03.513Z

Reserved: 2026-06-08T20:44:31.210Z

Link: CVE-2025-71327

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:00:14Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function