Flowise, a drag & drop interface to build large‑language‑model flows, sent password reset links over insecure HTTP until version 3.1.0. The link was transmitted in plain text, so an attacker on the same network could capture the URL and use it to reset the user’s password. Once the attacker obtains the new password, they gain full access to the victim’s account, exposing any data stored or processed by the Flowise flow. This is an insecure transmission weakness (CWE‑319) that compromises the confidentiality and integrity of the authentication mechanism.

The vulnerability affects all installations of Flowise on cloud.flowiseai.com that run a version earlier than 3.1.0. The vendor is FlowiseAI, and the product is Flowise. Users relying on the cloud service without updating to version 3.1.0 or later are exposed.

The CVSS score of 7.5 rates this issue as high severity, and the EPSS score of less than 1 % indicates that it is rarely exploited in the wild but still presents a realistic threat to users on open or public networks. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation campaigns are known. An attacker would need only network access to the victim’s device or Wi‑Fi and would not require any privileged access to the Flowise backend. If the user clicks the intercepted HTTP link, the attacker can reset the password and hijack the account, achieving full account takeover.