Description
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Flowise application before version 3.0.10 allows an authenticated user to change their password without providing the current password or any additional verification. This flaw is a direct application of CWE‑620, which enables improper credential updates. Because the new password is accepted immediately, the attacker can immediately assume control of the account. The lack of validation gives full authority to the user, turning the credential change into a complete account takeover via user manipulation or session compromise.

Affected Systems

Flowise:Flowise before version 3.0.10 is affected. No other versions have been reported to contain this issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. While the EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting it may not yet be officially exploited in the wild. The attack requires an existing authenticated session; an attacker who hijacks or coerces such a session can simply navigate to the account settings page and change the password, gaining full control. As the application does not enforce a current‑password check, any authenticated user can perform this operation, even if they have only limited privileges in the system.

Generated by OpenCVE AI on June 25, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch that upgrades Flowise to version 3.0.10 or later.
  • Enable multi‑factor authentication to protect legitimate user sessions from hijacking or coercion.
  • Restrict account‑reset actions by requiring re‑authentication or a current‑password prompt, and audit login sessions for suspicious activity.

Generated by OpenCVE AI on June 25, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
Title Flowise - Unverified Password Change via Account Settings
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-620
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T21:41:04.185Z

Reserved: 2026-06-08T20:44:31.210Z

Link: CVE-2025-71328

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:30:16Z

Weaknesses
  • CWE-620

    Unverified Password Change