PT-2026-34739 · Flowise · Flowise
Published
2026-04-16
·
Updated
2026-04-23
·
CVE-2026-41275
CVSS v4.0
7.5
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.1.0
Description
The password reset functionality on the endpoint 'cloud.flowiseai.com' transmits the reset password link using the unsecured HTTP protocol rather than HTTPS. This allows an attacker on the same network to perform a man-in-the-middle (MITM) attack—a technique where a third party intercepts communication between two parties—to capture the reset link and gain unauthorized account access.
Recommendations
Update to version 3.1.0.
Exploit
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowise