GHSA-289x-5mj7-xhg5HighCVSS 8.1

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions...

Published
June 26, 2026
Last Modified
June 26, 2026

🔗 CVE IDs covered (1)

📋 Description

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

🔗 References (4)