Flowise - Unverified Email Change via Account Profile Endpoint
Description
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing authentication or verification step when changing the account email address, which serves as both login identifier and password-recovery channel."
Attack vector
An authenticated attacker navigates to the account profile page at `/account`, scrolls to the 'Profile' section, and changes the email address to an attacker-controlled email. The application accepts the new email without sending a confirmation link to the original email and without requiring the current password [CWE-306]. Because the email doubles as the login identifier and password-recovery channel, the attacker can then use the password-reset flow on the new email to fully take over the account [ref_id=1].
Affected code
The vulnerability exists in the account profile endpoint, specifically in `packages/ui/src/views/account/index.jsx` around line 211. Flowise versions 3.0.7 and earlier are affected; the issue is fixed in version 3.0.10.
What the fix does
The patch is not shown in the bundle; the advisory does not include a diff. The recommended fix is to add a confirmation step (e.g., sending a verification link to the original email) or require the current password before allowing the email to be changed. Flowise released version 3.0.10 as the fix.
Preconditions
- authThe attacker must be authenticated as a valid user on the Flowise instance.
- configThe application must be running Flowise 3.0.7 or earlier.
Reproduction
1. Log in to the Flowise cloud instance at https://cloud.flowiseai.com/account. 2. Scroll down to the 'Profile' section. 3. Change the email field to a new attacker-controlled address and save. 4. Observe that the change is accepted with only a 'Profile updated' message and no confirmation to the original email or password challenge.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4mitrevendor-advisory
- www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpointmitrethird-party-advisory
News mentions
0No linked articles in our index yet.