CVE-2025-71328
Received Received - Intake
Flowise Unverified Password Change Leading to Account Takeover

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2025-71328
EUVD
EUVD-2025-210338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowise flowise to 3.0.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Flowise versions before 3.0.10 and involves an unverified password change feature. An authenticated user can change their account password through the account settings without needing to provide their current password or any other form of verification.

Because the application does not enforce a current-password check when changing credentials, an attacker who can hijack or coerce an authenticated session can exploit this to take over the account completely.

Impact Analysis

This vulnerability can lead to a full account takeover if an attacker gains access to an authenticated session. The attacker can change the account password without knowing the original password, effectively locking out the legitimate user and gaining unauthorized access to the account.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart