Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71337

CVE-2025-71337: Flowise Auth Bypass Vulnerability

CVE-2025-71337 is an authentication bypass flaw in Flowise versions 3.0.7 and earlier allowing attackers to hijack accounts by changing email addresses without verification. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71337 Overview

CVE-2025-71337 is an unverified email change vulnerability in Flowise, an open-source low-code platform for building large language model (LLM) applications. Versions 3.0.7 and earlier allow an authenticated user to modify the account email address through the account profile endpoint. The endpoint does not require confirmation from the original email address and does not prompt for the current password. Because the email serves as both the login identifier and the password-recovery channel, an attacker who controls a session can redirect recovery messages and seize the account. Flowise 3.0.10 resolves the issue. The weakness maps to CWE-620: Unverified Password Change.

Critical Impact

An attacker with access to an authenticated Flowise session can silently change the recovery email, trigger a password reset, and obtain persistent control of the victim account.

Affected Products

  • Flowise versions 3.0.7 and earlier
  • Flowise versions prior to 3.0.10
  • FlowiseAI self-hosted deployments exposing the account profile endpoint

Discovery Timeline

  • 2026-06-23 - CVE-2025-71337 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71337

Vulnerability Analysis

Flowise exposes an account profile endpoint that lets authenticated users update profile attributes, including the email address. The endpoint accepts a new email value and persists it without sending a verification link to the previous address and without re-prompting for the current password. This breaks the trust binding between the authenticated principal and the recovery channel.

The email field in Flowise serves a dual role. It identifies the user at login and receives password-reset tokens. Mutating that field through a single authenticated request collapses both controls into one action that requires no step-up verification.

Root Cause

The root cause is missing re-authentication and missing out-of-band confirmation on a security-sensitive state change, classified under [CWE-620]. The profile update handler treats the email attribute as ordinary profile data. It does not enforce the workflow that account recovery identifiers normally require, such as confirming ownership of the new address and validating possession of the old credential.

Attack Vector

The attack requires an authenticated session on the target Flowise instance. Session acquisition paths include stolen cookies, cross-site scripting against the Flowise UI, leaked API tokens, or insider access on shared deployments. Once authenticated, the attacker submits a request to the profile endpoint that replaces the email with an address they control.

The attacker then invokes the standard password-recovery flow. Flowise sends the reset token to the new, attacker-controlled email. The attacker completes the reset and locks the legitimate user out. No interaction from the original owner is required to complete the takeover.

No verified public proof-of-concept code is referenced in the advisory. Technical detail is available in the GitHub Security Advisory GHSA-x39m-3393-3qp4 and the VulnCheck Advisory.

Detection Methods for CVE-2025-71337

Indicators of Compromise

  • Profile update events on the Flowise account endpoint where the email attribute changes to a domain not previously associated with the user or the organization.
  • Password-reset emails delivered to addresses that differ from the historical recovery address for a given account.
  • Successful logins from new IP addresses or user agents immediately following an email change and password reset on the same account.

Detection Strategies

  • Parse Flowise application logs for HTTP requests to the profile endpoint that mutate the email field, and correlate them with subsequent password-reset requests within a short time window.
  • Alert on any change to a privileged Flowise user's email attribute, particularly for admin or workspace-owner roles.
  • Compare the destination email in outbound reset messages against an allowlist of approved corporate domains.

Monitoring Recommendations

  • Forward Flowise audit logs and reverse-proxy access logs to a centralized log platform with retention sufficient for incident review.
  • Track per-account rates of profile mutations and reset requests to surface anomalies against historical baselines.
  • Monitor outbound mail server logs for reset tokens delivered to addresses outside the organization's domains.

How to Mitigate CVE-2025-71337

Immediate Actions Required

  • Upgrade all Flowise deployments to version 3.0.10 or later, which enforces verification on email changes.
  • Audit user accounts for unexpected email changes since the deployment was first exposed and reset credentials on any account that shows tampering.
  • Restrict network access to the Flowise UI and API so that only authenticated users from approved networks can reach the profile endpoint.

Patch Information

Flowise 3.0.10 contains the fix. The maintainers document the remediation in the GitHub Security Advisory GHSA-x39m-3393-3qp4. Operators running 3.0.7 or earlier should plan the upgrade as a priority change because the underlying control is account recovery.

Workarounds

  • Place Flowise behind a reverse proxy or identity-aware gateway that requires step-up authentication before allowing access to the /account profile route.
  • Disable self-service email modification at the proxy layer until the upgrade is complete by blocking PUT or POST requests that include an email field on the profile endpoint.
  • Rotate session secrets and invalidate active sessions after upgrading to remove any pre-existing footholds.
bash
# Example reverse-proxy rule to block email mutation until patched (NGINX)
location ~ ^/api/v1/account/?$ {
    if ($request_method ~ ^(POST|PUT|PATCH)$) {
        return 403;
    }
    proxy_pass http://flowise_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.