CVE-2025-71337

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L                                    

Vulnerability Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Vulnerability Details

Published Date

June 23, 2026

Last Modified

June 23, 2026

CWE ID

CWE-620

Source

NVD

Vendor

Flowise

Product

Flowise

External References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4
https://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4

CVE-2025-71337

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment