Cyber Resilience

CVE-2025-71328

HighPublic PoC

Published: 25 June 2026

Published
25 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-71328 is a high-severity Unverified Password Change (CWE-620) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password…

more

check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Unverified password change directly enables unauthorized account password modification (T1098) leading to takeover from hijacked sessions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

flowiseai
flowise
≤ 3.0.10

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References