CVE-2025-71337

EUVD-2025-210304

23.06.2026, 13:16

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.3 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-620 - Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4

https://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4