Skip to main content

Flowise EUVDEUVD-2025-210341

| CVE-2025-71335 HIGH
Insufficient Session Expiration (CWE-613)
2026-06-25 VulnCheck GHSA-289x-5mj7-xhg5
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable with low complexity; PR:L because the attacker must already hold a valid session; high confidentiality and integrity over the account, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 23:04 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 22:34 vuln.today
Analysis Generated
Jun 25, 2026 - 22:34 vuln.today

DescriptionCVE.org

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

AnalysisAI

Persistent session hijacking in Flowise 3.0.7 and earlier (fixed in 3.0.10) lets an attacker retain authenticated access to a victim's account even after the victim changes their password, because the application never invalidates pre-existing sessions or session tokens on credential rotation (CWE-613). Anyone holding a stolen token or a device left logged in keeps full access, defeating the primary remediation users rely on after a suspected compromise. A working proof-of-concept is published in the vendor's GHSA advisory; publicly available exploit code exists, but there is no public exploit identified as actively exploited in the wild and it is not on the CISA KEV list.

Technical ContextAI

Flowise is an open-source, low-code platform for building LLM/agent workflows, distributed via the npm package 'flowise' (CPE cpe:2.3:a:flowise:flowise) and offered as a cloud service at cloud.flowiseai.com. The flaw is an instance of CWE-613 (Insufficient Session Expiration): the session management layer issues session tokens that are not bound to the user's credential state, so the password-change routine updates the stored credential without iterating and revoking outstanding sessions. Because there is no server-side linkage between an active session and the current password hash, token validity persists independently of credential changes - the application trusts a previously issued token indefinitely until its own (unchanged) expiry. This is the classic gap the OWASP Session Management Cheat Sheet warns about: security-sensitive events (password change, reset, MFA enrollment) must trigger global session invalidation.

RemediationAI

Vendor-released patch: upgrade Flowise to version 3.0.10 or later (fix delivered via https://github.com/FlowiseAI/Flowise/pull/5294), which is the definitive fix and should be applied per the GHSA advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw. Until the upgrade is deployed, compensating controls include forcing all users to re-authenticate by invalidating the server-side session store (for example, rotating the session signing secret / JWT secret so all existing tokens become invalid - side effect: every active user is logged out and must sign in again), and shortening session/token lifetime to reduce the window in which a stolen token remains usable (side effect: more frequent logins for legitimate users). For high-value or internet-exposed instances, restrict network access to the Flowise UI/API to trusted networks or behind a VPN/SSO reverse proxy that can enforce its own session revocation, so an upstream identity layer can terminate sessions on password change even though Flowise itself cannot. After any suspected credential compromise on an unpatched instance, treat a password change as insufficient and additionally rotate the session secret rather than relying on the password change alone.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

EUVD-2025-210341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy