CVE-2025-71328
published 2026-06-25CVE-2025-71328: Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account…
PriorityP359high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.33%
24.4th percentile
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowise | flowise | < 3.0.10 | 3.0.10 |
| flowiseai | flowise | < 3.0.10 | 3.0.10 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Flowise up to 3.0.9 unverified password change (GHSA-fjh6-8679-9pch)
vuldb·2026-06-26·CVSS 8.3
CVE-2025-71328 [HIGH] Flowise up to 3.0.9 unverified password change (GHSA-fjh6-8679-9pch)
A vulnerability, which was classified as critical, has been found in Flowise up to 3.0.9. This impacts an unknown function. This manipulation causes unverified password change.
This vulnerability appears as CVE-2025-71328. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
Flowise before 3.0.10 contains an unverified password change vulnerability.
ghsa_unreviewed·2026-06-26
CVE-2025-71328 [HIGH] CWE-620 Flowise before 3.0.10 contains an unverified password change vulnerability.
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published