Description
Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user.
Published: 2026-02-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass enabling arbitrary user login
Action: Apply Workaround
AI Analysis

Impact

Agentflow developed by Flowring contains an authentication bypass flaw that allows unauthenticated remote attackers to obtain an arbitrary user authentication token and log into the system as any user. The weakness is a classic authorization bypass (CWE‑288) with severe implications for confidentiality, integrity, and overall system control.

Affected Systems

The affected product is Flowring Agentflow. No specific version information is provided, so any installation of this product remains potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.3 places this flaw in the critical range, indicating that exploitation would grant full system access. The EPSS score of less than 1% shows that current exploitation probability is low, but the high severity and absence of a KEV listing suggest that organizations should still act with high caution. The likely attack vector involves the web or API interface that permits retrieval of authentication tokens, enabling unauthenticated remote exploitation.

Generated by OpenCVE AI on April 18, 2026 at 12:52 UTC.

Remediation

Vendor Workaround

Please refer to the following official instructions and take the appropriate mitigation measures: https://forum.flowring.com/post/view?bid=72&id=45611&tpg=1&ppg=1&sty=1#45939

OpenCVE Recommended Actions

  • Follow the official Flowring forum instructions at https://forum.flowring.com/post/view?bid=72&id=45611&tpg=1&ppg=1&sty=1#45939 to mitigate the authentication bypass, e.g., disabling or securing the vulnerable endpoint.
  • Restrict network access to the Agentflow service by firewall rules, allowing only trusted IP ranges to contact the authentication endpoint.
  • Monitor system logs for repeated attempts to retrieve authentication tokens or unauthorized login activity, and alert on suspicious patterns.

Generated by OpenCVE AI on April 18, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowring:agentflow:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Flowring
Flowring agentflow
Vendors & Products Flowring
Flowring agentflow

Tue, 10 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user.
Title Flowring|Agentflow - Authentication Bypass
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowring Agentflow
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-02-10T19:34:22.341Z

Reserved: 2026-02-06T11:02:46.628Z

Link: CVE-2026-2095

cve-icon Vulnrichment

Updated: 2026-02-10T19:34:18.003Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T07:16:13.903

Modified: 2026-02-13T20:53:19.297

Link: CVE-2026-2095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses