Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.
Published: 2026-04-23
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the resetPassword method of the Flowise AccountService. The method does not verify that a valid password reset token exists before allowing a password change. An attacker who knows a user’s email address can submit a request to the /api/v1/account/reset-password endpoint with a null or empty token, causing the user’s password to be reset to a value chosen by the attacker.

Affected Systems

Affected systems are installations of FlowiseAI Flowise prior to version 3.1.0. The vulnerability applies to all users whose accounts have not yet received a password reset token, which is the default state, and to accounts that have reset their password before, as the stored token becomes an empty string. No specific sub‑versions are listed; any release before the 3.1.0 patch set.

Risk and Exploitability

The CVSS score of 7.7 reflects a moderate to severe risk, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not yet in CISA’s KEV catalog. Exploitation requires only the target’s email address and the public exposure of the reset endpoint, both commonly available in a typical deployment. An attacker can perform a simple HTTP request to reset the password, after which they can log in as that user.

Generated by OpenCVE AI on April 28, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.0 or later to fix the missing token validation.
  • If an upgrade is not immediately possible, block or restrict access to the /api/v1/account/reset-password endpoint from external or untrusted networks.
  • Monitor and audit account reset logs for abnormal activity and consider temporarily disabling user‑initiated password resets until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f6hc-c5jr-878p Flowise: resetPassword Authentication Bypass Vulnerability
History

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.
Title Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:20:07.284Z

Reserved: 2026-04-18T14:01:46.802Z

Link: CVE-2026-41276

cve-icon Vulnrichment

Updated: 2026-04-24T14:43:14.540Z

cve-icon NVD

Status : Modified

Published: 2026-04-23T20:16:16.270

Modified: 2026-04-24T19:17:11.770

Link: CVE-2026-41276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses