CVE-2025-71327 | Flowise contains an authentication bypass vulnerability in t… | CVSS 9.1 CRITICAL

Description

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

Metadata

CVE ID: CVE-2025-71327
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-08 20:44 UTC
Published: 2026-06-25 21:41 UTC
Last updated: 2026-06-25 21:41 UTC
Primary CWE: CWE-306
Missing Authentication for Critical Function
Vendor / Product: Flowise / Flowise
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Flowise	Flowise	—	3.0.1

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing Authentication for Critical Function

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (2)

GitHub Security Advisory (GHSA-v5w9-prxf-w882) https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v5w9-prxf-w882
VulnCheck Advisory: Flowise - Authentication Bypass via Unprotected Registration Endpoint https://www.vulncheck.com/advisories/flowise-authentication-bypass-via-unprotected-registration-endpoint