A significant vulnerability has been identified within FlowiseAI’s platform, revealing an authentication bypass issue that allows attackers to seize control of user accounts with ease. This flaw falls under the designation CVE-2025-58434 and affects both the cloud service at cloud.flowiseai.com and self-hosted versions of the software. Organizations utilizing this platform should be especially vigilant as this vulnerability presents a considerable security risk.
The vulnerability originates from structural weaknesses within the /api/v1/account/forgot-password endpoint, which returns sensitive authentication tokens in API responses without adequate verification. This issue essentially allows attackers to bypass the expected email confirmation process for resetting passwords.
To exploit this vulnerability, attackers need only the victim’s email address. A simple POST request can be made to the vulnerable endpoint, which will yield an extensive user object that includes a temporary token essential for resetting the password. The server responds with a 201 Created status, providing attackers with the tools necessary to take over the account.
Once the temporary token is obtained, it can be re-used at the /api/v1/account/reset-password endpoint, allowing the attacker to change the victim’s credentials without any further verification steps. This exploitation process exemplifies the ease with which an adversary can leverage insufficient validation mechanisms to gain unauthorized access.
This flaw was discovered and reported by security researchers Zaddy6 and Arthurgervais, highlighting the importance of timely disclosure in mitigating security risks. FlowiseAI customers, particularly those relying on cloud or on-premises deployments prior to version 3.0.5, are urged to implement immediate security measures to safeguard their systems.
In response to the vulnerability, FlowiseAI administrators should ensure that the /api/v1/account/forgot-password endpoint does not disclose sensitive information. A more secure implementation would involve providing generic success messages along with robust server-side validation to manage temporary tokens effectively.
Until official patches are deployed, organizations are advised to temporarily restrict access to affected API endpoints and consider employing a Web Application Firewall (WAF) to enhance security measures. By adopting these strategies, businesses can better protect themselves from potential account takeovers, fortifying the security of user credentials and maintaining data integrity.
For ongoing updates related to this critical issue, businesses should monitor credible sources within the cybersecurity landscape, ensuring they stay informed on vulnerabilities that may directly impact their operations.
