SB2026040909 - Multiple vulnerabilities in Flowise

Security Bulletin ID SB2026040909

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Insufficient Session Expiration (CVE-ID: N/A)

The vulnerability allows a remote user to retain unauthorized access to the application after a password change.

The vulnerability exists due to insufficient session expiration in session management when processing password changes. A remote user can continue using an existing active session token to retain unauthorized access to the application after a password change.

The issue affects other active sessions or session tokens that were established before the password change.

2) Unverified Password Change (CVE-ID: N/A)

The vulnerability allows a remote user to take over accounts.

The vulnerability exists due to unverified credential change in the account profile email change functionality when updating the account email address. A remote user can change the email address associated with an account without confirming the current password to take over accounts.

The changed email address can be used as a login identifier or password recovery channel.

3) Unverified Password Change (CVE-ID: N/A)

The vulnerability allows a remote user to gain control of the account.

The vulnerability exists due to unverified password change in the account security settings when changing an account password. A remote user can change the password without supplying the current password to gain control of the account.

The issue affects password changes performed without current-password verification or additional verification.

Remediation

Install update from vendor's website.

SB2026040909 - Multiple vulnerabilities in Flowise

Breakdown by Severity

Description

Remediation

References

Please verify you're human