Unverified Password Change Vulnerability in Flowise by FlowiseAI
CVE-2025-71328

8.7HIGH

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 25 June 2026

What is CVE-2025-71328?

Flowise prior to version 3.0.10 features a vulnerability that allows authenticated users to change their passwords without verifying their current password. This lack of verification creates an opportunity for malicious actors to compromise accounts, especially if they can gain access to or manipulate authenticated sessions. It's critical for users and administrators to be aware of this vulnerability and apply necessary updates to enhance account security.

Affected Version(s)

Flowise 0 < 3.0.10

Flowise 3.0.10

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-unverified-p...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

mbiesiad

CVE-2025-71328 Data

JSON