CVE-2025-71335
Analyzed Analyzed - Analysis Complete

Session Token Persistence After Password Change in Flowise

Vulnerability report for CVE-2025-71335, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-01
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.0.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Flowise versions before 3.0.10 (specifically 3.0.7 and earlier). When a user changes their password, the system fails to invalidate existing sessions and session tokens. This means that if an attacker already has an active sessionβ€”such as through a stolen session token or a device left logged inβ€”they remain authenticated as the legitimate user even after the password is changed.

As a result, the security purpose of changing a password is undermined because the attacker can continue to access the account without needing the new password.

Detection Guidance

This vulnerability can be detected by verifying whether existing user sessions remain active after a password change. A practical method is to log in as a user in two different browsers or devices, change the password in one, and then check if the other session remains authenticated.

There is a proof-of-concept described where after changing a password in one browser, the second browser remains logged in despite the credential update, indicating the vulnerability.

Specific commands are not provided in the resources, but a manual test involving multiple sessions can help detect the issue.

Impact Analysis

This vulnerability can have serious security impacts. An attacker who has gained access to a user's session can maintain unauthorized access even after the user changes their password. This means that password changes, which are typically used to secure accounts after a compromise or as a routine security measure, will not effectively block the attacker.

The attacker can continue to perform actions as the legitimate user, potentially leading to data theft, unauthorized transactions, or other malicious activities.

Compliance Impact

This vulnerability allows an attacker who already holds an active session to remain authenticated even after the legitimate user changes their password. This undermines the security purpose of password changes by failing to invalidate existing sessions and session tokens.

Such a failure can negatively impact compliance with common security standards and regulations like GDPR and HIPAA, which require proper session management and protection of user credentials to prevent unauthorized access.

Specifically, the inability to invalidate sessions after password changes may lead to unauthorized access to sensitive personal or health data, violating principles of data protection and security mandated by these regulations.

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.10 or later, where this vulnerability has been fixed.

Until the upgrade is applied, it is important to monitor for unauthorized active sessions and consider forcing logout of all sessions when a password change occurs, if possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart