Password Reset Vulnerability in Flowise Affects User Accounts
CVE-2025-58434

9.8CRITICAL

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-58434?

The Flowise platform contains a significant vulnerability in its forgot-password endpoint, which can return sensitive information, including a valid password reset token, without the necessary authentication or verification. This flaw allows attackers to generate reset tokens for arbitrary users, enabling them to fully compromise user accounts. The issue affects both the cloud service and self-hosted deployments of Flowise. It is essential to secure password reset processes by ensuring tokens are only delivered through registered email channels, logging password reset requests, and validating tokens stringently. Implementing these security measures can mitigate the risk of unauthorized account access.

Affected Version(s)

Flowise <= 3.0.5

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2025
Vulnerability Reserved
Sep 1, 2025

Flowiseai

What is CVE-2025-58434?

Affected Version(s)

References

CVSS V3.1

Timeline