Unverified Email Change Enables Account Takeover

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Casky was already ahead

This CVE exploits attack patterns that Casky's 283matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

Flowise versions 3.0.7 and earlier contain a critical account takeover vulnerability stemming from insufficient verification when users change their email address. Since email serves as both the login identifier and password recovery channel, an authenticated attacker can unilaterally change the associated email without confirming the change with the original address or re-authenticating with their password. This CWE-620 (Unverified Password Change) variant creates a direct pathway to account compromise: by redirecting the recovery email to an attacker-controlled address, threat actors gain full control over password reset flows and account access. Any organization deploying Flowise for workflow automation faces immediate risk, particularly if the platform handles sensitive data, API integrations, or serves as an authentication touchpoint for downstream systems.

Casky's 283 mapped skills detect the attack patterns underpinning this vulnerability across MITRE ATT&CK tactics TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners using Casky would identify suspicious behavioral patterns including: unexpected email modification requests from authenticated sessions, rapid successive account recovery attempts using newly changed emails, and lateral movement post-compromise as attackers pivot through stolen credentials. Claude AI's extended reasoning capability correlates these signals—detecting when legitimate profile updates are followed by password reset requests from new email addresses, or when email changes precede access from anomalous geographic locations. Security teams would see findings flagging email change operations lacking secondary verification, failed authentication attempts against old credentials post-email-change, and unauthorized access patterns consistent with credential takeover, enabling rapid incident response before attackers abuse the compromised recovery mechanism.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

283 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2025-71337.

abusing-dpapi-for-credential-access

red teaming · high

Run

abusing-shadow-credentials-for-privesc

red teaming · high

Run

Access with Stolen Session Cookie

identity access management · low

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2025-71337

Casky has 283 skills that investigate the attack patterns behind CVE-2025-71337. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn