CVE-2025-71327
Analyzed Analyzed - Analysis Complete

Authentication Bypass in Flowise via Unprotected Registration Endpoint

Vulnerability report for CVE-2025-71327, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: VulnCheck

Description

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise 3.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass in Flowise's /api/v1/account/register endpoint. It is unprotected, allowing unauthenticated attackers to create user accounts without any credentials.

Attackers can exploit this flaw to register arbitrary accounts and gain full API access to the system without needing to authenticate.

Detection Guidance

This vulnerability can be detected by checking if the /api/v1/account/register endpoint is accessible without authentication and allows creation of user accounts.

You can use commands like curl to test this endpoint by attempting to register a new user without credentials.

  • curl -X POST http://<target-ip-or-domain>/api/v1/account/register -d '{"username":"testuser","password":"testpass"}' -H "Content-Type: application/json"

If the request succeeds and a new user account is created without authentication, the system is vulnerable.

Impact Analysis

The vulnerability allows attackers to bypass authentication and gain full API access by creating arbitrary user accounts.

This can lead to unauthorized access to sensitive data or system functions, potentially compromising the security and integrity of the affected system.

Compliance Impact

The vulnerability allows unauthenticated attackers to create arbitrary user accounts and gain full API access without credentials, which can lead to unauthorized access to sensitive data and systems.

Such unauthorized access could result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, exploitation of this vulnerability may compromise compliance by exposing systems to unauthorized data access and potential data breaches.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /api/v1/account/register endpoint to authenticated users only or disabling the endpoint if registration is not required.

Since no patches are currently available, you should implement network-level controls such as firewall rules or API gateway policies to block unauthenticated requests to this endpoint.

Monitor logs for any unauthorized account creation attempts and consider temporarily disabling new user registrations until a fix is released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71327. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart