CVE-2025-71328

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L                                    

Vulnerability Description

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

Vulnerability Details

Published Date

June 25, 2026

Last Modified

June 25, 2026

CWE ID

CWE-620

Source

NVD

Vendor

Flowise

Product

Flowise

External References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch
https://www.vulncheck.com/advisories/flowise-unverified-password-change-via-account-settings

CVE-2025-71328

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment