Main Vulnerability Database Exploits ID:12606 - Exploit for Improper access control in Flowise - CVE-2025-58434

ID:12606 - Exploit for Improper access control in Flowise - CVE-2025-58434

Published: April 17, 2026

Vulnerability identifier: #VU125538

Vulnerability risk: High

CVE-ID: CVE-2025-58434

CWE-ID: CWE-284

Exploitation vector: Remote access

Vulnerable software:
Flowise

Link to public exploit:

https://github.com/r3nsi15/Flowise-CVE-2025-58434-PasswordReset

Vulnerability description

The vulnerability allows a remote attacker to take over arbitrary accounts.

The vulnerability exists due to improper access control in the /api/v1/account/forgot-password endpoint when handling password reset requests. A remote attacker can obtain a valid password reset token for an arbitrary user and use it to take over arbitrary accounts.

The issue affects both Flowise Cloud and self-hosted deployments that expose the same API, and exploitation requires only knowledge of the victim's email address.

Remediation

Install security update from vendor's website.

ID:12606 - Exploit for Improper access control in Flowise - CVE-2025-58434

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human