ZDI 2026-04-27

ZDI-26-300: Flowise AccountService resetPassword Authentication Bypass Vulnerability

CVE-2026-41276

Machine-generated analysis · WAYSCloud LLM

The vulnerability enables remote authentication bypass via the AccountService resetPassword function in Flowise without requiring prior authentication.

Context

Flowise is affected by an authentication bypass vulnerability in the AccountService resetPassword functionality. The vulnerability can be exploited remotely without requiring authentication. The ZDI assigned a CVSS score of 8.1, indicating high severity based on their scoring criteria. Worth noting that the vulnerability may allow unauthorized access to the system through password reset mechanisms.

Operator considerations

Check: Identify Flowise instances using the AccountService resetPassword functionality.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass authentication on affected installations of Flowise. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2026-41276.

Read the full advisory on ZDI →