Flowise – Unverified Email Change via Account Profile Endpoint

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

AI Analysis

Unverified email change vulnerability allowing account takeover via password reset mechanisms

Basic Information

ID CVE-2025-71337

Source VulnCheck

Published Jun 23, 2026 at 12:12

Affected Product

Vendor Flowise

Product Flowise

Affected Versions Flowise Flowise 0

CWE Classification

CWE-620

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Flowise

Product Flowise

Version 3.0.7 and earlier

References

{
    "lastseen": "",
    "description": "Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.",
    "published": "2026-06-23T12:12:52.547Z",
    "modified": "2026-06-23T12:12:52.547Z",
    "type": "cve",
    "title": "Flowise - Unverified Email Change via Account Profile Endpoint",
    "source": "VulnCheck",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4\nhttps://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint",
    "id": "CVE-2025-71337",
    "bulletinFamily": "",
    "cwe": [
        "CWE-620"
    ],
    "cvelist": null,
    "sourceData": "Flowise Flowise 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "0",
    "vendor": "Flowise",
    "ai_description": "Unverified email change vulnerability allowing account takeover via password reset mechanisms",
    "ai_severity": "High",
    "ai_vendor": "Flowise",
    "ai_product": "Flowise",
    "ai_version": "3.0.7 and earlier",
    "ai_score": 8.7
}

Flowise – Unverified Email Change via Account Profile Endpoint_CVE-2025-71337