CVE-2025-58434: Flowise: auth bypass in reset flow allows full ATO

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE

Published September 12, 2025

CISO Take

Flowise versions 3.0.5 and earlier expose a critical authentication failure in the forgot-password endpoint that returns a valid password reset token directly in the API response — no authentication, no email verification, no barriers whatsoever. Any unauthenticated attacker who knows a target's email can silently reset credentials and seize full account control, gaining access to all LLM workflows, embedded API keys (OpenAI, Anthropic, etc.), agent configurations, and processed data. A public PoC and Nuclei scanner template already exist, making this trivially exploitable by automated tooling at scale against any internet-exposed self-hosted Flowise instance — and with 16 CVEs already logged against this package, this is not an isolated lapse. Upgrade to Flowise 3.0.6 immediately; if patching is blocked, firewall the instance and audit password reset logs for bulk or multi-user requests.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Extremely high. CVSS 9.8 with a fully network-accessible, zero-authentication, zero-user-interaction attack path. The combination of a public PoC and an active Nuclei scanner template eliminates any barrier to mass exploitation — script-kiddies and automated scanners can fully weaponize this within hours of discovery. Self-hosted Flowise deployments exposed to the internet are acutely at risk. The 16 prior CVEs in this package indicate a systemic security posture problem, not an isolated bug.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Patch immediately: upgrade to Flowise 3.0.6+ (fix in commit 9e178d68873eb876073846433a596590d3d9c863).
If patching is not immediately possible, block external access to the Flowise instance via firewall rules or place behind VPN — this is the single most effective short-term mitigation.
Rotate all API keys stored in Flowise agent configurations (OpenAI, Anthropic, etc.) if the instance was internet-exposed at any point before patching.
Audit web/application logs for anomalous POST requests to the /forgot-password endpoint, particularly bulk requests or requests targeting multiple email addresses.
Review all user accounts for unauthorized password changes or new sessions.
For cloud.flowiseai.com users, verify account activity logs and rotate credentials regardless of patch status.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information access restriction

NIST AI RMF

GOVERN 6.2 - Contingency responses to AI risks and incidents

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.

Exploitation Scenario

An adversary scans for exposed Flowise instances via Shodan or deploys the existing Nuclei template against a target IP range. Upon discovering an internet-facing Flowise deployment, the attacker sends a single unauthenticated POST to /api/v1/forgot-password with the admin user's email (obtained from OSINT or user enumeration, which the vulnerable endpoint also enables). The API returns the tempToken directly in the JSON response body. The attacker immediately POSTs this token to the password reset endpoint, sets a new password, and logs in as the administrator. Within minutes they have access to all LLM workflow definitions, all stored API keys for OpenAI and Anthropic, all connected vector databases and data sources, and the full history of data processed by those flows. The attacker exfiltrates the API keys for further abuse and optionally backdoors agent system prompts before covering tracks.