CVE-2026-41276: CWE-287: Improper Authentication in FlowiseAI Flowise
CVE-2026-41276 is an authentication bypass vulnerability in FlowiseAI Flowise versions prior to 3. 1. 0. The flaw exists in the resetPassword method of the AccountService class, where no verification is done to confirm that a password reset token was generated. An attacker knowing a user's email can reset that user's password by submitting a null or empty reset token. This allows unauthorized password resets without authentication. The vulnerability is fixed in version 3. 1. 0.
AI Analysis
Technical Summary
FlowiseAI Flowise before version 3.1.0 contains an improper authentication vulnerability (CWE-287) in its password reset functionality. Specifically, the resetPassword method does not check if a valid reset token was issued before allowing a password reset. Since the default reset token value is null or empty, an attacker can exploit this by submitting a reset request with a null or empty token for any known user email, effectively bypassing authentication and resetting the user's password. This critical flaw enables unauthorized account takeover. The issue is resolved in Flowise version 3.1.0.
Potential Impact
An attacker can reset any user's password without authentication by exploiting the lack of reset token validation. This leads to unauthorized account access and potential full compromise of user accounts on affected Flowise installations prior to version 3.1.0. The vulnerability has a CVSS 4.0 score of 7.7 (high severity), indicating significant risk if exploited.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Until patched, restrict access to the password reset API endpoint or implement additional access controls to prevent unauthorized password resets.
CVE-2026-41276: CWE-287: Improper Authentication in FlowiseAI Flowise
Description
CVE-2026-41276 is an authentication bypass vulnerability in FlowiseAI Flowise versions prior to 3. 1. 0. The flaw exists in the resetPassword method of the AccountService class, where no verification is done to confirm that a password reset token was generated. An attacker knowing a user's email can reset that user's password by submitting a null or empty reset token. This allows unauthorized password resets without authentication. The vulnerability is fixed in version 3. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FlowiseAI Flowise before version 3.1.0 contains an improper authentication vulnerability (CWE-287) in its password reset functionality. Specifically, the resetPassword method does not check if a valid reset token was issued before allowing a password reset. Since the default reset token value is null or empty, an attacker can exploit this by submitting a reset request with a null or empty token for any known user email, effectively bypassing authentication and resetting the user's password. This critical flaw enables unauthorized account takeover. The issue is resolved in Flowise version 3.1.0.
Potential Impact
An attacker can reset any user's password without authentication by exploiting the lack of reset token validation. This leads to unauthorized account access and potential full compromise of user accounts on affected Flowise installations prior to version 3.1.0. The vulnerability has a CVSS 4.0 score of 7.7 (high severity), indicating significant risk if exploited.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Until patched, restrict access to the password reset API endpoint or implement additional access controls to prevent unauthorized password resets.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T14:01:46.802Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea9e7887115cfb686fc367
Added to database: 4/23/2026, 10:34:32 PM
Last enriched: 4/23/2026, 11:22:48 PM
Last updated: 4/24/2026, 6:10:27 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.