CVE-2025-71337: Flowise account takeover

CISO Take

Flowise versions 3.0.7 and earlier allow any authenticated user to silently change their account email — the login identifier and password-recovery channel — without confirming the change to the original address or re-entering their current password. Because Flowise is an AI agent orchestration platform, an admin account takeover translates directly to full control over agent configurations, LLM API keys for connected providers (OpenAI, Anthropic, etc.), workflow pipelines, and every tool or data source those agents can reach. With a CVSS of 8.3, network-accessible attack vector, low complexity, and no user interaction required, the bar for exploitation is extremely low — any attacker holding a single set of stolen credentials can permanently lock out the legitimate owner before detection, since no notification reaches the original email. Upgrade immediately to Flowise 3.0.10 or later and audit account email-change events in your database for the past 30–90 days.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk. CVSS 8.3 with a network-accessible, low-complexity, low-privilege attack profile means this is exploitable by any attacker with one valid credential pair. No public exploit or KEV listing exists yet, but the technique requires nothing more than a single authenticated API call — time-to-exploit is trivial once the vulnerability is public. Flowise carries 100+ historical CVEs, marking it as a persistently targeted AI agent platform. The attack is silent by design: the original account owner receives no notification and may not discover the compromise until a login attempt fails.

How does the attack unfold?

Initial Access

Attacker obtains valid Flowise credentials via credential stuffing, phishing, or insider threat.

AML.T0012

Exploitation

Attacker calls the account profile endpoint to silently replace the email with an attacker-controlled address — no password confirmation or original-email verification required.

AML.T0049

Account Takeover

Attacker triggers the standard password reset flow to the new email, receives the link, and sets a new password — permanently locking out the legitimate owner.

AML.T0106

Impact

With admin access, attacker exfiltrates LLM API keys, modifies AI agent system prompts and workflows, and pivots to any data source or tool the agents are authorized to reach.

AML.T0083

Initial Access

Attacker obtains valid Flowise credentials via credential stuffing, phishing, or insider threat.

AML.T0012

Exploitation

Attacker calls the account profile endpoint to silently replace the email with an attacker-controlled address — no password confirmation or original-email verification required.

AML.T0049

Account Takeover

Attacker triggers the standard password reset flow to the new email, receives the link, and sets a new password — permanently locking out the legitimate owner.

AML.T0106

Impact

With admin access, attacker exfiltrates LLM API keys, modifies AI agent system prompts and workflows, and pivots to any data source or tool the agents are authorized to reach.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

8.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

5 steps

Patch immediately: upgrade to Flowise 3.0.10 or later — this is the only complete remediation.
If immediate patching is not possible, restrict network access to the account profile endpoint at the reverse-proxy or WAF layer.
Audit all account email-change events in the Flowise database (users table) for the past 30–90 days and verify legitimacy with the original account owners.
Rotate all LLM API keys and integration credentials stored in Flowise as a precaution if any unauthorized changes are discovered.
Enable alerting on account profile update events going forward to detect future abuse.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI system access control

NIST AI RMF

MANAGE 1.3 - Responses to identified AI risks are communicated

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-71337?

Flowise versions 3.0.7 and earlier allow any authenticated user to silently change their account email — the login identifier and password-recovery channel — without confirming the change to the original address or re-entering their current password. Because Flowise is an AI agent orchestration platform, an admin account takeover translates directly to full control over agent configurations, LLM API keys for connected providers (OpenAI, Anthropic, etc.), workflow pipelines, and every tool or data source those agents can reach. With a CVSS of 8.3, network-accessible attack vector, low complexity, and no user interaction required, the bar for exploitation is extremely low — any attacker holding a single set of stolen credentials can permanently lock out the legitimate owner before detection, since no notification reaches the original email. Upgrade immediately to Flowise 3.0.10 or later and audit account email-change events in your database for the past 30–90 days.

Is CVE-2025-71337 actively exploited?

No confirmed active exploitation of CVE-2025-71337 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71337?

1. Patch immediately: upgrade to Flowise 3.0.10 or later — this is the only complete remediation. 2. If immediate patching is not possible, restrict network access to the account profile endpoint at the reverse-proxy or WAF layer. 3. Audit all account email-change events in the Flowise database (users table) for the past 30–90 days and verify legitimacy with the original account owners. 4. Rotate all LLM API keys and integration credentials stored in Flowise as a precaution if any unauthorized changes are discovered. 5. Enable alerting on account profile update events going forward to detect future abuse.

What systems are affected by CVE-2025-71337?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, LLM API integrations, no-code AI platforms.

What is the CVSS score for CVE-2025-71337?

CVE-2025-71337 has a CVSS v3.1 base score of 8.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow orchestrationLLM API integrationsno-code AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 1.3

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Exploitation Scenario

An attacker who has acquired any Flowise user account — via credential stuffing, phishing, or insider access — sends a PATCH request to the account profile API endpoint, updating the email field to an attacker-controlled address. No current-password confirmation is required. The attacker then triggers the standard password reset flow; the reset link arrives at the attacker's inbox. After resetting the password, the attacker has full, persistent control of the account. In an enterprise Flowise deployment, targeting an admin account immediately exposes all AI agent configurations, system prompts, and stored API keys for LLM providers — enabling lateral movement into any system those agents are authorized to access.

Weaknesses (CWE)

CWE-620 Unverified Password Change CWE-620 Unverified Password Change

CWE-620 — Unverified Password Change: When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

[Architecture and Design] When prompting for a password change, force the user to provide the original password in addition to the new password.
[Architecture and Design] Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

Source: MITRE CWE corpus.