CVE Catalog

CVE-2025-71328

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

Flowise before version 3.0.10 has an unverified password change vulnerability. An authenticated user can change their password without providing the current password, allowing an attacker who hijacks a session to take over the account.

Risk Assessment

The risk for the organization includes potential account takeover by attackers who gain access to a session, leading to unauthorized access to sensitive data and systems.

Recommendation

Immediately upgrade Flowise to version 3.0.10 or later to fix this vulnerability. Additionally, implement session monitoring and enforce current password verification for all password changes.

Original NVD description (English source)

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS