FlowiseAI Password Reset Token Vulnerability Enables Account Takeover
gbhackersA critical vulnerability in FlowiseAI has been discovered that allows attackers to take over user accounts with minimal effort.
The flaw, tracked as CVE-2025-58434, affects both cloud-hosted and self-hosted FlowiseAI deployments, posing significant risks to organizations using this AI workflow automation platform.
| CVE Number | Affected Product | Vulnerability Type | CVSS 3.1 Score |
|---|---|---|---|
| CVE-2025-58434 | FlowiseAI (npm package flowise) | Unauthenticated Password Reset Token Disclosure | 9.8 (Critical) |
Critical Security Flaw in Password Reset Mechanism
The vulnerability lies within FlowiseAI’s password reset functionality, specifically the /api/v1/account/forgot-password endpoint, as per a report by Security Researcher.
Instead of following secure practices by only sending reset tokens via email, the system directly returns sensitive user information in the API response, including valid password reset tokens.
When an attacker requests a password reset for any email address, the system responds with comprehensive user details, including the user ID, name, email, hashed credentials, and ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE