Executive Summary

This vulnerability affects Flowise versions before 3.0.10 (specifically 3.0.7 and earlier). When a user changes their password, the system fails to invalidate existing sessions and session tokens. This means that if an attacker already has an active session—such as through a stolen session token or a device left logged in—they remain authenticated as the legitimate user even after the password is changed.

As a result, the security purpose of changing a password is undermined because the attacker can continue to access the account without needing the new password.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts. An attacker who has gained access to a user's session can maintain unauthorized access even after the user changes their password. This means that password changes, which are typically used to secure accounts after a compromise or as a routine security measure, will not effectively block the attacker.

The attacker can continue to perform actions as the legitimate user, potentially leading to data theft, unauthorized transactions, or other malicious activities.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker who already holds an active session to remain authenticated even after the legitimate user changes their password. This undermines the security purpose of password changes by failing to invalidate existing sessions and session tokens.

Such a failure can negatively impact compliance with common security standards and regulations like GDPR and HIPAA, which require proper session management and protection of user credentials to prevent unauthorized access.

Specifically, the inability to invalidate sessions after password changes may lead to unauthorized access to sensitive personal or health data, violating principles of data protection and security mandated by these regulations.

Useful 0 Not Useful 0