CVE Catalog

CVE-2025-71327

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

Risk Assessment

The risk involves unauthorized access to the system and its data by third parties, potentially leading to breaches of confidentiality, integrity, and availability of information.

Recommendation

Immediately secure the /api/v1/account/register endpoint by requiring authentication or restricting access to authorized users only. It is also recommended to implement access control mechanisms and monitor for unauthorized registration attempts.

Original NVD description (English source)

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS