External risk intelligence

Flowise Authentication Bypass via Unprotected Registration Endpoint

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-71327

Flowise is a web-based application designed to provide API endpoints and management interfaces for AI workflows. Because it is typically deployed as a web application service that requires network accessibility for users to interact with its API and interface, it is commonly exposed as an internet-facing service.

Missing Authentication

Flowiseai Flowise

3.0.1

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Flowise that could allow unauthorized users to create accounts and gain full access to the system's API without proper authentication. This occurs through an unprotected registration endpoint, meaning attackers can bypass security measures to establish new user accounts remotely. The primary concern is confirming whether this specific technology is in use and, if so, assessing the potential exposure.

  • Unauthenticated users can create accounts.
  • Remember this if Flowise is used.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker with network access can create new user accounts on the Flowise system by targeting an unprotected registration endpoint. This bypasses the need for existing credentials, allowing the attacker to gain full API access.

  • Network access required.
  • Unprotected registration endpoint.
  • Full API access granted.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, unauthenticated remote attackers could exploit an unprotected registration endpoint to create arbitrary user accounts. This grants them full API access to the system without needing any credentials.

  • System accounts could be created.
  • Unprotected API registration allows access.
  • Unauthorized system control may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, an authentication bypass in the registration endpoint, requires immediate attention from teams responsible for Flowise deployments. The first step is to identify all instances of Flowise, determine their exposure and criticality, and locate the accountable application or platform owner to plan remediation.

  • Identify Flowise instances and assess risk.
  • Confirm system reachability and business criticality.
  • Plan remediation with the accountable owner.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Flowise?

Flowise is a web-based platform used to build, manage, and deploy AI workflows. It provides an interface and API endpoints that help developers connect different AI models and tools into functional automation pipelines. Because it serves as a central hub for managing these workflows, it is typically deployed as a persistent service within a network.

What does CVE-2025-71327 mean?

This CVE represents a security flaw classified as a 'Missing Authentication for Critical Function' (CWE-306). Essentially, a specific part of the software meant to handle user registration lacks the necessary identity checks. Because of this, the system incorrectly trusts any request sent to that endpoint, allowing anyone to create an account and gain full access to the application's API functions without valid credentials.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a request to the system's registration endpoint, located at /api/v1/account/register. No special conditions, such as having existing privileges or user interaction, are required. It is important to note that this bug specifically concerns the registration process; it does not involve exploiting logged-in user sessions or bypassing authentication on already established, secure accounts.

Is my Flowise instance at risk?

If your instance is reachable over a network, you should treat this as a significant concern. Halo Surface Signal notes that Flowise is often deployed as an internet-facing service to allow for API accessibility. If your deployment is accessible from the internet, it is directly reachable by unauthorized actors. Even within internal networks, any user with network access to the server could potentially create their own administrative-level account.

What should I do if I use Flowise?

The first step is to perform an audit to identify all running instances of Flowise in your environment. Once identified, work with the team or individual responsible for the platform to verify if the version you are running is affected. Prioritize determining whether these instances are exposed to the internet, as this increases the likelihood of unauthorized account creation, and coordinate with the system owner to apply available security updates.

References