Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN808
_____________________________________________________________________

DATE                : 18/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Flowise.

=====================================================================
https://github.com/advisories/GHSA-v5w9-prxf-w882
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v5w9-prxf-w882
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch
https://github.com/advisories/GHSA-x39m-3393-3qp4
https://github.com/advisories/GHSA-x7rp-qj2h-ghgw
_____________________________________________________________________


Flowise has Authentication Bypass Using Unprotected Registration
Endpoint (/register)
High severity   GitHub Reviewed   Published Nov 15, 2025 in
FlowiseAI/Flowise • Updated Nov 17, 2025

Vulnerability details

Package
flowise (npm)

Affected versions
= 3.0.1

Patched versions
None


Description
Summary

An unauthenticated attacker can exploit the unprotected registration
endpoint (/register) to create a new user and bypass authentication.
Details

Critical vulnerability in Flowise 3.0.1 on-premise deployment allows
unauthenticated attackers to exploit the /api/v1/account/register
endpoint to add a new user and log in using it, enabling
authentication bypass.

Meaning that the register functionality is by default open, allowing
attackers to create an account and use the api without any
restrictions or credentials.


PoC

A Flowise 3.0.1 instance was deployed via Docker for the purpose of
this demonstration.

1 Docker


After successful deployment the instance setup organization page
allows us to register the first account in the system.

1 newly deployed instance


Creating the first user research@evasec.io
2 configuring account

Login to the account
2 Login

The background request that created the first user to /api/v1/account/register
3 request

Response
3 1 response

We have found that it is possible to reuse the registration request
multiple times without any restrictions to create an account and
authenticate to the system using it.


Crafting a new request
{
"user": {
"name": "Malicious",
"email": "attacker@attack.io",
"type": "pro",
"credential": "Password123!"
}
}
4 attacker new register

Response with 201 code “Created”
4 1 created

Login using newly created user (attacker)
5 Login using attacker

Success login
6 Susccess auth bypass

An unauthorized user can exploit this vulnerability to register an
account and gain access to the Flowise API with authenticated
privileges, effectively bypassing authentication.


Impact

This is an authentication bypass vulnerability caused by an
unprotected registration endpoint (/register).

Users of Flowise 3.0.1(latest) on-premise deployments are impacted.
An unauthorized attacker can exploit this vulnerability to register
an account after the organization set has been completed, and gain
access to the Flowise API with authenticated privileges,
effectively bypassing authentication.


References

    GHSA-v5w9-prxf-w882


Severity
High
8.7/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS score

Weaknesses
Weakness CWE-287

CVE ID
No known CVE

GHSA ID
GHSA-v5w9-prxf-w882

Source code
FlowiseAI/Flowise

Credits

    @ReeFSpeK ReeFSpeK Reporter
    @ERANV-EVA ERANV-EVA Reporter
_____________________________________________________________________

Flowise does not Prevent Bypass of Password Confirmation - Unverified
Password Change

High severity GitHub Reviewed Published Nov 12, 2025 in
FlowiseAI/Flowise • Updated Nov 14, 2025

Vulnerability details

Package
flowise-ui (npm)

Affected versions
< 3.0.10

Patched versions
3.0.10


Description
Summary

Bypass of Password Confirmation - Unverified Password Change
(authenticated change without current password)

An authenticated user is allowed to change their account password
without supplying the current password or any additional
verification. The application does not verify the actor’s authority
to perform that credential change (no current-password check, no
authorization enforcement). An attacker who is merely authenticated
(or who can trick or coerce an authenticated session) can set a new
password and gain control of the account. (ATO - Account Takeover)


Details

Occurence - code:
https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278

Remote and physical scenarios can be considered.


PoC

Repro steps:

    As logged in user https://cloud.flowiseai.com/account scroll
down to 'Security' section
    Change password to the new password
    Notice Unverified Password Change (authenticated change without
current password)

POC:
Password changed, and notice "Password updated" message.

Screenshot:
secpw


Impact

Full account takeover (ATO) of affected accounts (loss of
confidentiality and integrity of account data).
User account recovery mechanisms (password reset flows tied to
email) can be bypassed or abused if combined with this issue and
the second one which I've reported (similar security issue with
the email - part of credentials). (gain persistence)


References

    GHSA-fjh6-8679-9pch
    FlowiseAI/Flowise#5294
    https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10


Severity
High
8.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS score

Weaknesses
Weakness CWE-306
Weakness CWE-620

CVE ID
No known CVE

GHSA ID
GHSA-fjh6-8679-9pch

Source code
FlowiseAI/Flowise


Credits

    @mbiesiad mbiesiad Reporter


_____________________________________________________________________


Flowise doesn't Prevent Bypass of Password Confirmation through
Unverified Email Change (credentials)
High severity GitHub Reviewed Published Nov 12, 2025 in
FlowiseAI/Flowise • Updated Nov 14, 2025

Vulnerability details

Package
flowise-ui (npm)

Affected versions
< 3.0.10

Patched versions
3.0.10


Description

Summary

Unverified Email Change - Email as part of Credential / Unverified
Account Recovery Channel Change

The application allows changing the account email address (used as
a login identifier and/or password recovery address) without
verifying the requester’s authority to make that change (no
confirmation to the old email, no authentication step). Because
email often functions as a credential or recovery channel,
unverified email changes enable attackers to take over accounts
by switching the account’s recovery/login address.


Details

Occurence - code:
https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L211

Remote and physical scenarios can be considered.


PoC

Repro steps:

    As logged in user https://cloud.flowiseai.com/account scroll
down to 'Profile' section
    Change email to the new email
    Notice Unverified Password Change (authenticated change
without current password)

Later this email is needed as credentials to log in or reset
password feature.


POC:
Email changed, and notice "Profile updated" message.

Screenshot
secbug


Impact

Full account takeover (ATO) of affected accounts (loss of
confidentiality and integrity of account data).
User account recovery mechanisms (password reset flows tied to
email) can be bypassed or abused if combined with this issue and
the second one which I've reported (similar security issue with
the password - part of credentials). (gain persistence)


References

    GHSA-x39m-3393-3qp4
    FlowiseAI/Flowise#5294
    https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10

Severity
High
8.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS score

Weaknesses
Weakness CWE-306
Weakness CWE-620

CVE ID
No known CVE

GHSA ID
GHSA-x39m-3393-3qp4

Source code
FlowiseAI/Flowise

Credits

    @mbiesiad mbiesiad Reporter


_____________________________________________________________________


Flowise Fails to Invalidate Existing Sessions After Password Changes
High severity GitHub Reviewed Published Nov 12, 2025 in
FlowiseAI/Flowise • Updated Nov 14, 2025
Vulnerability details

Package
flowise (npm)

Affected versions
< 3.0.10

Patched versions
3.0.10


Description

Summary

Failure to Invalidate Existing Sessions After Password Change
(Persistent Session / Session Invalidity Failure).

Details

After a user changes their password, the application does not
invalidate other active sessions or session tokens that were
established before the change. An attacker who already has an
active session (e.g., via a stolen session token, device left
logged in, or other access) continues to be authenticated even
after the legitimate user rotates credentials, allowing the
attacker to retain access despite the user’s password change.


PoC

Repro steps:

    As logged in user on two browsers (ie. Chrome and Firefox,
with incognito/private mode) https://cloud.flowiseai.com/account
change password, on the Chrome for example
    Refresh the site on Firefox (second browser) - notice that
still logged in (despite credentials were changed)

POC:
Steps described above (in Repro steps) completed successfully.


Impact

Persistent unauthorized access despite credential rotation -
undermines the primary purpose of password changes as a
remediation step.

Enables attackers with an active session (remote or physical
access to a device) to continue acting as the user
(confidentiality and integrity impact).

If session tokens are not bound to the credential state,
forced password changes won’t terminate attacker sessions.

Resources
OWASP Session Management Cheat Sheet
CWE-613: Insufficient Session Expiration


References

    GHSA-x7rp-qj2h-ghgw
    FlowiseAI/Flowise#5294


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS score

Weaknesses
Weakness CWE-613

CVE ID
No known CVE

GHSA ID
GHSA-x7rp-qj2h-ghgw

Source code
FlowiseAI/Flowise

Credits

    @mbiesiad mbiesiad Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================