CVE-2026-41276

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0

Description Remote attackers can bypass authentication in Flowise. The issue exists within the resetPassword() function of the AccountService class, where the system fails to verify if a password reset token was actually generated for a user account. Since the reset token is null or an empty string by default, an attacker knowing a user's email address can send a request to the '/api/v1/account/reset-password' endpoint with a null or empty reset token value to change the user's password.

Recommendations Update to version 3.1.0.