The vulnerability in Flowise prior to version 3.0.10 is an unverified password change issue (CWE-620). Authenticated users can change their password without supplying the current password or undergoing any verification, due to the absence of enforcement of a current-password check during credential changes. This flaw enables an attacker who can hijack or coerce an authenticated session to take over the account fully. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and high impact on confidentiality and integrity, with a high severity rating. No patch or official fix information is provided in the data.

An attacker who gains access to an authenticated session can change the account password without needing the current password, leading to full account takeover. This compromises account confidentiality and integrity, potentially allowing unauthorized access and control over the affected user account.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to authenticated sessions and monitor for suspicious activity. Implement additional verification controls for password changes if possible.