GHSA-59fh-9f3p-7m39: Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
Summary
Flowise has a mass assignment vulnerability in its PUT /api/v1/user endpoint that lets authenticated users directly change their password hash without verifying their old password. An attacker with a stolen session token can send a crafted request that overwrites the credential field, bypassing password verification, hashing enforcement, and policy validation, which gives them permanent access to the account.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-59fh-9f3p-7m39
First tracked: May 20, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%