CVE-2025-71335 | Flowise before 3.0.10 (affected versions 3.0.7 and earlier) … | CVSS 8.1 HIGH

Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

Metadata

CVE ID: CVE-2025-71335
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 01:48 UTC
Published: 2026-06-25 21:41 UTC
Last updated: 2026-06-25 21:41 UTC
Primary CWE: CWE-613
Insufficient Session Expiration
Vendor / Product: Flowise / Flowise
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Flowise	Flowise	—	0 < 3.0.10, 3.0.10

Weakness (CWE)

CWE	Source	Description
CWE-613	cna	Insufficient Session Expiration

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (2)

GitHub Security Advisory (GHSA-x7rp-qj2h-ghgw) https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw
VulnCheck Advisory: Flowise - Session Invalidation Failure After Password Change https://www.vulncheck.com/advisories/flowise-session-invalidation-failure-after-password-change