CVE 9.3 CRITICAL

Flowise – Authentication Bypass via Unprotected Registration Endpoint_CVE-2025-71327

June 25, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

AI Analysis

Authentication bypass vulnerability in Flowise via unprotected registration endpoint

Basic Information

ID CVE-2025-71327

Source VulnCheck

Published Jun 25, 2026 at 21:41

Affected Product

Vendor Flowise

Product Flowise

Version 3.0.1

Affected Versions Flowise Flowise 3.0.1

CWE Classification

CWE-306

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Flowise

Product Flowise

Version 3.0.1

References

{
    "lastseen": "",
    "description": "Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.",
    "published": "2026-06-25T21:41:03.513Z",
    "modified": "2026-06-25T21:41:03.513Z",
    "type": "cve",
    "title": "Flowise - Authentication Bypass via Unprotected Registration Endpoint",
    "source": "VulnCheck",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v5w9-prxf-w882\nhttps://www.vulncheck.com/advisories/flowise-authentication-bypass-via-unprotected-registration-endpoint",
    "id": "CVE-2025-71327",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "Flowise Flowise 3.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "3.0.1",
    "vendor": "Flowise",
    "ai_description": "Authentication bypass vulnerability in Flowise via unprotected registration endpoint",
    "ai_severity": "Critical",
    "ai_vendor": "Flowise",
    "ai_product": "Flowise",
    "ai_version": "3.0.1",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply