CVE-2025-58434: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, t
Summary
Flowise, a tool for building custom AI workflows through a visual interface, has a critical security flaw in versions 3.0.5 and earlier where the password reset endpoint leaks sensitive information like reset tokens without requiring authentication. This allows attackers to take over any user account by generating a fake reset token and changing the user's password.
Solution / Mitigation
Upgrade to version 3.0.6 or later, which includes commit 9e178d68873eb876073846433a596590d3d9c863 that secures password reset endpoints. The source also recommends: (1) never return reset tokens or account details in API responses; (2) send tokens only through the user's registered email; (3) make the forgot-password endpoint respond with a generic success message to prevent attackers from discovering which accounts exist; (4) require strong validation of reset tokens, including making them single-use, giving them a short expiration time, and tying them to the request origin; and (5) apply these same fixes to both cloud and self-hosted deployments.
Vulnerability Details
9.8(critical)
EPSS: 7.6%
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-58434
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 95%