CVE-2025-71328
Published: 25 June 2026
Summary
CVE-2025-71328 is a high-severity Unverified Password Change (CWE-620) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-210338
Vulnerability details
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password…
more
check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unverified password change directly enables unauthorized account password modification (T1098) leading to takeover from hijacked sessions.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.