Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

Severity (CVSS)

Base score8.6
SeverityHigh
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-613 — Insufficient Session Expiration

Affected products

VendorProductVersions
FlowiseFlowise0 to <3.0.10; 3.0.10

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 26 Jun 2026 07:05 UTC.