CVE-2025-71327
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.
Risk Assessment
The risk involves unauthorized access to the system and its data by third parties, potentially leading to breaches of confidentiality, integrity, and availability of information.
Recommendation
Immediately secure the /api/v1/account/register endpoint by requiring authentication or restricting access to authorized users only. It is also recommended to implement access control mechanisms and monitor for unauthorized registration attempts.
Original NVD description (English source)
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

