What is Flowise?
Flowise is an open-source platform for building AI-powered applications such as chatbots and agent systems. It provides a visual drag-and-drop interface that makes it possible to design workflows without writing extensive code. Under the hood, it supports large language models (LLMs), Retrieval-Augmented Generation (RAG), and integrates with multiple data sources.
Developers can choose to self-host Flowise on their own servers or use Flowise Cloud, a commercial version available as a paid service. With nearly 50,000 stars on GitHub and thousands of weekly npm installations, Flowise has become one of the most widely adopted tools in the AI builder ecosystem.
🔥 Side Quest for SysAdmins 🔥
I’m building HackMeNow – a terminal-style hacking puzzle game.
Back it on Kickstarter and help bring it to life:
The Vulnerability
In September 2025, researchers disclosed a critical flaw in Flowise’s password-reset mechanism, tracked as CVE-2025-58434.
When a user requested a password reset, the API not only triggered the email with the reset link, but also returned sensitive account data in the response — including:
* the account UUID,
* the password hash, and
* the reset token itself.
Armed with only a victim’s email address, an attacker could grab the reset token and set a new password, gaining full access to the account. No need for the old password. No interception of emails. Just an API call and a takeover
Why It Matters ?
The impact was amplified by two missing security layers in Flowise:
1. No re-authentication – Sensitive account actions such as changing a password did not require entering the old one.
2. No 2FA – There was no two-factor authentication option, meaning attackers who reset a password faced no extra hurdle.
This combination meant that once the reset token was exposed, there was effectively nothing protecting user accounts.
Lessons for Developers
This case is a textbook example of why authentication flows deserve the highest scrutiny. A few best practices could have prevented or limited the damage:
Never expose reset tokens in API responses. Tokens should be one-time, short-lived, and only sent via email.
Require re-authentication for critical actions (password change, session termination, enabling MFA).
Implement 2FA correctly so that even if a password is reset, the second factor still protects the account.
Rate-limit and monitor reset endpoints to detect abuse.
Audit API responses regularly to make sure sensitive data isn’t accidentally included.
🔥 Side Quest for SysAdmins 🔥
I’m building HackMeNow – a terminal-style hacking puzzle game.
Back it on Kickstarter and help bring it to life:
What Users Should Do ?
If you run Flowise (self-hosted or cloud), take these steps:
1. Update immediately to the patched version.
2. Rotate admin and critical user passwords.
3. Check logs for unusual reset activity or login attempts.
4. Adopt unique email aliases for critical accounts where possible.
5. Enable 2FA once the feature is available — and push Flowise to implement it sooner rather than later.
TL;DR
A critical flaw (CVE-2025-58434) in Flowise’s password-reset flow allowed attackers to hijack accounts using only an email address. The API mistakenly returned reset tokens and other account details, making full account takeover trivial. The bug is now patched, but the lack of 2FA and weak password-change practices highlight broader security gaps. Update, rotate passwords, and audit logs immediately. Developers should treat authentication flows as critical infrastructure.
Subscribe to the channel: youtube.be/@AngryAdmin 🔥
🚨Dive into my blog: angrysysops.com
🚨Snapshots 101: a.co/d/fJVHo5v
🌐Connect with us:
- 👊Facebook: facebook.com/AngrySysOps
- 👊X: twitter.com/AngrySysOps
- 👊My Podcast: creators.spotify.com/pod/show/angrysysops
- 👊Mastodon: techhub.social/@AngryAdmin
💻Website: angrysysops.com
🔥vExpert info: vExpert Portal
