GHSA-fjh6-8679-9pch: Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change

November 14, 2025

Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password)

An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/pull/5294
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10
github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch
github.com/advisories/GHSA-fjh6-8679-9pch

Code Behaviors & Features

Detect and mitigate GHSA-fjh6-8679-9pch with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →