CVE-2025-71328
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
Flowise before version 3.0.10 has an unverified password change vulnerability. An authenticated user can change their password without providing the current password, allowing an attacker who hijacks a session to take over the account.
Risk Assessment
The risk for the organization includes potential account takeover by attackers who gain access to a session, leading to unauthorized access to sensitive data and systems.
Recommendation
Immediately upgrade Flowise to version 3.0.10 or later to fix this vulnerability. Additionally, implement session monitoring and enforce current password verification for all password changes.
Original NVD description (English source)
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

