cvedb.io
CVE-2025-71328
HIGH · CVSS 8.3
EPSS exploitation probability: 0%
Published 2026-06-25T22:16:58.877 · Last modified 2026-06-29T18:46:58.507

Summary

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

Affected products

flowiseai — flowise

Does this affect you?

Add your gear to cvedb and we'll alert you only when flowiseai ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.