A critical security vulnerability (CVE-2025-58434) in FlowiseAI allows attackers to bypass authentication and take over accounts by exploiting the password reset functionality. All versions below 3.0.5 are affected, with no current patch available. #FlowiseAI #CVE58434
Keypoints
- The vulnerability affects both cloud-hosted and self-hosted FlowiseAI deployments.
- The flaw lies in the /api/v1/account/forgot-password endpoint, revealing sensitive account data.
- Attackers can authenticate bypass and reset passwords using the reset token obtained via API response.
- No official fix exists yet, and immediate mitigation measures are strongly recommended.
- Organizations should disable public access to the endpoint and strengthen token validation processes.
Read More: https://thecyberexpress.com/cve-2025-58434/