Description
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.
Published: 2026-06-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise before version 3.0.10 does not invalidate existing sessions or tokens when a user changes their password. As a result, an attacker who already holds an active session remains authenticated as the legitimate user, even after credentials are rotated. The flaw, identified as CWE‑613 (Relationship Between Authentication and Session Management), enables continued unauthorized access after an expected revocation event.

Affected Systems

The vulnerability affects Flowise Flowise installations running version 3.0.7 or earlier, before the 3.0.10 patch that implements proper session invalidation.

Risk and Exploitability

The CVSS score of 8.6 classifies this finding as High severity. EPSS data is not available, and the issue is not listed in CISA KEV. The likely attack vector involves an attacker who already possesses a valid session token or a device left logged in; by retaining the old token after the password change, the attacker can continue activity as the user. No additional prerequisites beyond session possession are required.

Generated by OpenCVE AI on June 25, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.0.10 or later to enforce session invalidation on password change.
  • If an upgrade cannot be applied immediately, manually revoke all user sessions after a password change by clearing session data or deleting authentication tokens.
  • Implement monitoring to detect password changes while active sessions persist and alert administrators to investigate.

Generated by OpenCVE AI on June 25, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.
Title Flowise - Session Invalidation Failure After Password Change
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-613
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T18:42:15.493Z

Reserved: 2026-06-20T01:48:36.755Z

Link: CVE-2025-71335

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:38.818Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:15:10Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration