Executive Summary
CVE-2025-71327 is a critical authentication bypass vulnerability (CVSS 9.1) in Flowise, the open-source platform for building LLM-powered workflows and chatbots. The /api/v1/account/register endpoint is left completely unprotected, allowing unauthenticated remote attackers to register arbitrary user accounts and gain full API access to the Flowise instance — including access to credentials, AI models, workflows, and data pipelines.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-71327 |
| CVSS Score | 9.1 (Critical) |
| Type | Authentication Bypass |
| Component | /api/v1/account/register endpoint |
| Attack Vector | Network |
| Authentication | None required |
| User Interaction | None |
| Published | June 25, 2026 |
Vulnerability Details
Root Cause
Flowise implements authentication middleware to protect its API routes. However, the /api/v1/account/register endpoint was not included in the protected route set. An unauthenticated attacker can send a POST request to this endpoint to create an arbitrary user account:
POST /api/v1/account/register HTTP/1.1
Host: flowise.target.com
Content-Type: application/json
{
"username": "attacker",
"password": "AttackerPass123!",
"email": "attacker@evil.com"
}Once registered, the attacker authenticates normally and gains complete access to the Flowise API — equivalent to a legitimate administrator or user depending on the role assigned at registration.
What Attackers Can Access
After bypassing authentication, a threat actor gains access to everything a legitimate Flowise user can reach:
| Resource | Risk |
|---|---|
| Stored credentials | API keys for OpenAI, Anthropic, Azure, AWS, databases |
| LLM workflows | Read, modify, or delete AI chatflow configurations |
| Vector stores | Access embedded knowledge bases and documents |
| Tool integrations | Invoke configured tools (webhooks, APIs, code execution) |
| Chat history | Access all conversation logs and user data |
| Custom tools | Execute arbitrary JavaScript via configured code nodes |
Severity Amplification: AI Platform Context
The severity is compounded by Flowise's role as an AI orchestration platform. A compromised Flowise instance can expose:
- LLM API keys — Anthropic, OpenAI, Azure credentials stored in the credential vault
- Prompt injection vectors — Modify system prompts in production chatbots
- Data pipeline access — Documents, PDFs, and databases loaded into vector stores
- Webhook endpoints — Trigger external API calls and automations
Affected Versions
All Flowise versions where authentication is enabled but the registration endpoint bypass is unpatched are affected. Self-hosted Flowise deployments configured with user authentication are the primary risk surface. Cloud-hosted instances (e.g., Flowise Cloud) should be verified with the vendor.
Check your Flowise version:
# Check Flowise version
docker exec <flowise-container> npm list flowise 2>/dev/null | grep flowise
# Or check the package.json inside the container
docker exec <flowise-container> cat /usr/src/packages/server/package.json | grep '"version"'Immediate Remediation
Patch
- Update Flowise immediately to the latest patched release via the official GitHub repository or Docker Hub
- Restart the Flowise service after applying the update
- Audit registered accounts — check for unknown accounts created before patching
# Pull latest patched Flowise Docker image
docker pull flowiseai/flowise:latest
docker-compose up -d --force-recreate flowiseInterim Mitigation (If Patching Is Delayed)
Block the registration endpoint via reverse proxy while preparing the patch:
# Nginx — block unauthenticated access to registration endpoint
location /api/v1/account/register {
# Allow only internal networks or trusted IPs
allow 10.0.0.0/8;
deny all;
}# Or disable registration entirely in Flowise environment config
FLOWISE_DISABLE_REGISTRATION=truePost-Patch Audit
- Review all registered user accounts for unexpected entries
- Rotate all API keys stored in the Flowise credential vault (OpenAI, Anthropic, database credentials, webhooks)
- Review LLM workflow configurations for unauthorized modifications
- Check chat history logs for attacker reconnaissance activity
- Audit external tool integrations for unauthorized webhook calls
Detection
Signs of Active Exploitation
| Indicator | Description |
|---|---|
POST /api/v1/account/register in logs | Registration attempt — check timing vs. legitimate usage |
| Accounts created outside business hours | Attacker-created accounts |
| Unexpected API key usage spikes | Stolen credentials being used |
| Modified chatflow system prompts | Prompt injection or workflow tampering |
| Unusual tool invocations | Attacker executing code or calling external services |
Log Query
# Search Flowise logs for registration endpoint hits
docker logs flowise 2>&1 | grep "account/register"
# Or check nginx/traefik access logs
grep "POST /api/v1/account/register" /var/log/nginx/access.logWhy This Matters for AI Infrastructure
Flowise is widely deployed for building internal AI assistants, customer-facing chatbots, and LLM-powered automation pipelines. A compromise of a Flowise instance represents a multi-vector attack surface:
- Credential harvest — All stored API keys and service credentials are exposed
- Supply chain risk — Modified chatbots can be weaponized to attack end users
- Data exfiltration — Vector store contents (embedded documents, knowledge bases) can be extracted
- Lateral movement — Tool integrations may expose internal network services
Organizations building AI workflows on Flowise should treat this as a priority patch — the unprotected registration endpoint is trivially exploitable with a single HTTP request.
Key Takeaways
- CVSS 9.1 Critical — No authentication required to register accounts and gain full API access
- Single HTTP request exploit — Trivial to exploit with no tooling required
- AI credential exposure — LLM API keys (OpenAI, Anthropic, Azure) stored in credential vault are at risk
- Patch immediately — Update to the latest Flowise release and restart
- Rotate all credentials stored in Flowise after patching, regardless of confirmed exploitation