CVE-2026-2095
Published: 10 February 2026
Summary
CVE-2026-2095 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Flowring Agentflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identification, reporting, and correction of flaws like CVE-2026-2095, directly preventing exploitation of the authentication bypass vulnerability through patching.
IA-2 mandates unique identification and authentication for organizational users, preventing unauthenticated attackers from bypassing authentication to impersonate any user.
IA-5 ensures secure management and distribution of authenticators such as tokens, mitigating the acquisition of arbitrary authentication tokens by unauthenticated remote attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote authentication bypass in a network-accessible application (T1190), directly exploited to obtain arbitrary user authentication tokens (T1528, T1212).
NVD Description
Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user.
Deeper analysisAI
CVE-2026-2095 is an Authentication Bypass vulnerability in Agentflow, a product developed by Flowring. The flaw, associated with CWE-288, enables unauthenticated remote attackers to exploit a specific functionality within the software to obtain arbitrary user authentication tokens. This allows attackers to log into the system impersonating any user. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction or privileges. Successful exploitation grants full access to the system as any targeted user, potentially leading to complete compromise including high confidentiality, integrity, and availability impacts as reflected in the CVSS metrics.
Mitigation details are available in advisories published by Flowring and TWCERT, accessible at https://forum.flowring.com/post/view?bid=72&id=45611&tpg=1&ppg=1&sty=1#45939, https://www.twcert.org.tw/en/cp-139-10700-3534d-2.html, and https://www.twcert.org.tw/tw/cp-132-10699-49c0b-1.html. The vulnerability was published on 2026-02-10.
Details
- CWE(s)