GHSA-x39m-3393-3qp4: Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)

November 14, 2025

Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change

The application allows changing the account email address (used as a login identifier and/or password recovery address) without verifying the requester’s authority to make that change (no confirmation to the old email, no authentication step). Because email often functions as a credential or recovery channel, unverified email changes enable attackers to take over accounts by switching the account’s recovery/login address.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/pull/5294
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10
github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4
github.com/advisories/GHSA-x39m-3393-3qp4

Code Behaviors & Features

Detect and mitigate GHSA-x39m-3393-3qp4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →