CVE-2025-71327
published 2026-06-25CVE-2025-71327: Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create…
PriorityP273critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.46%
36.6th percentile
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowise | flowise | — | — |
| flowiseai | flowise | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Flowise 3.0.1 /api/v1/account/register missing authentication (GHSA-v5w9-prxf-w882)
vuldb·2026-06-26·CVSS 9.1
CVE-2025-71327 [CRITICAL] Flowise 3.0.1 /api/v1/account/register missing authentication (GHSA-v5w9-prxf-w882)
A vulnerability marked as critical has been reported in Flowise 3.0.1. Impacted is an unknown function of the file /api/v1/account/register. Performing a manipulation results in missing authentication.
This vulnerability is cataloged as CVE-2025-71327. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts.
ghsa_unreviewed·2026-06-26
CVE-2025-71327 [CRITICAL] CWE-306 Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts.
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published