Details
Summary
An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication.
Details
Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass.
Meaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials.
PoC
A Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration.
After successful deployment the instance setup organization page allows us to register the first account in the system.
Creating the first user research@evasec.io
Login to the account
The background request that created the first user to /api/v1/account/register
Response
We have found that it is possible to reuse the registration request multiple times without any restrictions to create an account and authenticate to the system using it.
Crafting a new request
{
"user": {
"name": "Malicious",
"email": "attacker@attack.io",
"type": "pro",
"credential": "Password123!"
}
}
Response...
Affected Packages
flowise
npm
Affected versions:
3.0.1CVSS Analysis
CVSS v4.0
8.7
Exploitability
Attack Vector
Network
AV:NAttack Complexity
Low
AC:LAttack Requirements
None
AT:NPrivileges Required
None
PR:NUser Interaction
None
UI:NVulnerable System
Vuln. Confidentiality
None
VC:NVuln. Integrity
High
VI:HVuln. Availability
None
VA:NSubsequent System
Subseq. Confidentiality
None
SC:NSubseq. Integrity
None
SI:NSubseq. Availability
None
SA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NEcosystems
Timeline
PublishedNov 17, 2025
ModifiedNov 17, 2025