Vulnerability Details CVE-2025-71335
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 17.1%
CVSS Severity
CVSS v3 Score 8.1