CVE-2025-71328
Analyzed Analyzed - Analysis Complete

Flowise Unverified Password Change Leading to Account Takeover

Vulnerability report for CVE-2025-71328, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: VulnCheck

Description

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.0.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Flowise versions before 3.0.10 and involves an unverified password change feature. An authenticated user can change their account password through the account settings without needing to provide their current password or any other form of verification.

Because the application does not enforce a current-password check when changing credentials, an attacker who can hijack or coerce an authenticated session can exploit this to take over the account completely.

Detection Guidance

This vulnerability involves an authenticated user being able to change their password without supplying the current password or additional verification. Detection would involve monitoring for password change requests that do not require current password verification.

Since the vulnerability is in the account settings (Security) section of Flowise before version 3.0.10, you can detect exploitation attempts by inspecting logs or network traffic for password change requests that lack the current password field.

No specific commands are provided in the available resources to detect this vulnerability on your system or network.

Impact Analysis

This vulnerability can lead to a full account takeover if an attacker gains access to an authenticated session. The attacker can change the account password without knowing the original password, effectively locking out the legitimate user and gaining unauthorized access to the account.

Compliance Impact

The vulnerability allows an authenticated user to change their account password without supplying the current password or any additional verification, leading to potential full account takeover.

This can result in loss of confidentiality and integrity of account data, which may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of user data and secure authentication mechanisms.

By enabling unauthorized account takeover, the vulnerability could lead to unauthorized access to personal or sensitive information, thereby violating data protection requirements and potentially causing non-compliance with these regulations.

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.10 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict access to the account settings (Security) section to trusted users only and monitor authenticated sessions for suspicious activity.

Additionally, consider implementing additional verification mechanisms for password changes if possible, such as requiring the current password or multi-factor authentication.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart