{"id":"GHSA-x7rp-qj2h-ghgw","summary":"Flowise Fails to Invalidate Existing Sessions After Password Changes","details":"### Summary\nFailure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure).\n\n### Details\nAfter a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user’s password change.\n\n### PoC\n**Repro steps:**\n1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example\n2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed)\n\n**POC:**\nSteps described above (in Repro steps) completed successfully.\n\n### Impact\nPersistent unauthorized access despite credential rotation - undermines the primary purpose of password changes as a remediation step.\nEnables attackers with an active session (remote or physical access to a device) to continue acting as the user (confidentiality and integrity impact).\nIf session tokens are not bound to the credential state, forced password changes won’t terminate attacker sessions.\n\n**Resources**\nOWASP Session Management Cheat Sheet\nCWE-613: Insufficient Session Expiration","modified":"2025-11-14T20:50:36Z","published":"2025-11-14T20:50:36Z","database_specific":{"severity":"HIGH","nvd_published_at":null,"cwe_ids":["CWE-613"],"github_reviewed_at":"2025-11-14T20:50:36Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw"},{"type":"WEB","url":"https://github.com/FlowiseAI/Flowise/pull/5294"},{"type":"PACKAGE","url":"https://github.com/FlowiseAI/Flowise"}],"affected":[{"package":{"name":"flowise","ecosystem":"npm","purl":"pkg:npm/flowise"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.0.10"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-x7rp-qj2h-ghgw/GHSA-x7rp-qj2h-ghgw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}