Loading market data...
← Back to CVE feed

CVE-2025-71337

HIGH CVSS 8.3 View on NVD ↗

Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Published: Jun 23, 2026 13:16 UTC Modified: Jun 23, 2026 14:48 UTC