8.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-fjh6-8679-9pch

GHSA-fjh6-8679-9pch: Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change

Summary

Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password)

An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)

Details

Occurence - code: https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278

Remote and physical scenarios can be considered.

PoC

Repro steps:

As logged in user https://cloud.flowiseai.com/account scroll down to 'Security' section
Change password to the new password
Notice Unverified Password Change (authenticated change without current password)

POC: Password changed, and notice "Password updated" message.

Screenshot: <img width="467" height="526" alt="secpw" src="https://github.com/user-attachments/assets/4cc52978-9f37-42ca-a2b2-7285c4da9f1c" />

Impact

Full account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data). User account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I've reported (similar security issue with the email - part of credentials). (gain persistence)

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-fjh6-8679-9pch

GHSA-fjh6-8679-9pch:

8.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flowise-ui	npm	< 3.0.10	3.0.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the backend's UserService.updateUser function, which is responsible for updating user details, including the password. The initial investigation using get_commit_urls_from_pull_request on the provided pull request URL pointed to a series of commits. Analyzing these commits with get_commit_infos revealed the exact code changes that patched the vulnerability. Specifically, commit f5c4f803e8d7bc890a905fc85e17e1301671a833 shows that the updateUser function was modified to require the user's oldPassword. Before the patch, the function would accept a new password and update it without any verification of the old one. The patch added logic to compare the provided oldPassword with the hash stored in the database, thus fixing the unverified password change vulnerability. The frontend code in packages/ui/src/views/account/index.jsx was also updated to include a field for the old password, confirming the fix. The vulnerable function is UserService.updateUser as it's the entry point on the server-side that processes the malicious request.

Vulnerable functions

UserService.updateUser

packages/server/src/enterprise/services/user.service.ts

The `updateUser` function in `UserService` was vulnerable because it allowed changing a user's password without requiring the current password. The original implementation only checked for the presence of a new `password` in the request body and, if present, would hash and update it in the database. This allowed an attacker with an authenticated session to take over an account by setting a new password without any verification.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-fjh6-8679-9pch: Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change

Summary

Details

PoC

Impact

GHSA-fjh6-8679-9pch:

8.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-fjh6-8679-9pch: Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change

Summary

Details

PoC

Impact

Basic Information

Basic Information

8.3

8.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI