Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote low-complexity change requires an existing authenticated session (PR:L) with no interaction; takeover yields high confidentiality and integrity impact and limited availability loss via lockout.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
AnalysisAI
Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.
Technical ContextAI
The flaw is classified as CWE-620 (Unverified Password Change), a root-cause class where an application updates a credential without confirming the requester's authority via the existing password or another authentication factor. In Flowise the affected logic lives in the front-end account view (packages/ui/src/views/account/index.jsx around line 278) and the corresponding credential-update path, which performs the password write while relying solely on the presence of an authenticated session rather than re-authenticating the actor. Because no current-password check or step-up authorization is enforced, the change is effectively a single-factor write tied only to session state, which makes it dangerous in the presence of session hijacking, CSRF-style coercion, or shared/unattended sessions. CPE coverage is cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:* (npm package flowise-ui), and the fix was delivered upstream in PR #5294.
RemediationAI
Upgrade to Flowise 3.0.10 or later, which contains the fix delivered upstream in PR #5294 (https://github.com/FlowiseAI/Flowise/pull/5294); Vendor-released patch: 3.0.10. Self-hosted operators should update the flowise-ui package and redeploy, then review the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch. Until patched, compensating controls include enforcing short session lifetimes and re-authentication for sensitive actions at a reverse proxy or IdP layer, restricting access to the /account settings endpoint via network ACLs or SSO-gated access (trade-off: may inconvenience legitimate self-service password changes), enabling strict same-site cookies and CSRF protections to reduce session-coercion risk, and requiring users to log in through an external identity provider so the in-app password is not the primary credential. Operators should also consider forcing a password reset for accounts that may have been exposed while the unpatched version was running.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-620 – Unverified Password Change
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210338
GHSA-f44q-84cr-v374