CVE 8.6 HIGH

Flowise – Session Invalidation Failure After Password Change_CVE-2025-71335

June 25, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

AI Analysis

Session Invalidation Failure After Password Change

Basic Information

ID CVE-2025-71335

Source VulnCheck

Published Jun 25, 2026 at 21:41

Affected Product

Vendor Flowise

Product Flowise

Affected Versions Flowise Flowise 0

CWE Classification

CWE-613

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Flowise

Product Flowise

Version 3.0.7 and earlier

References

{
    "lastseen": "",
    "description": "Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.",
    "published": "2026-06-25T21:41:06.213Z",
    "modified": "2026-06-25T21:41:06.213Z",
    "type": "cve",
    "title": "Flowise - Session Invalidation Failure After Password Change",
    "source": "VulnCheck",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw\nhttps://www.vulncheck.com/advisories/flowise-session-invalidation-failure-after-password-change",
    "id": "CVE-2025-71335",
    "bulletinFamily": "",
    "cwe": [
        "CWE-613"
    ],
    "cvelist": null,
    "sourceData": "Flowise Flowise 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "0",
    "vendor": "Flowise",
    "ai_description": "Session Invalidation Failure After Password Change",
    "ai_severity": "High",
    "ai_vendor": "Flowise",
    "ai_product": "Flowise",
    "ai_version": "3.0.7 and earlier",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply