Common Weakness Enumeration

CWE-620

Allowed

Unverified Password Change

Abstraction: Base · Status: Draft

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

157 vulnerabilities reference this CWE, most recent first.

GHSA-974C-VF2R-989V

Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-13 00:00
VLAI
Details

Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-07T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.",
  "id": "GHSA-974c-vf2r-989v",
  "modified": "2022-09-13T00:00:35Z",
  "published": "2022-09-08T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpfusion/phpfusion/commit/57c96d4a0c00e8e1e25100087654688123c6e991"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b3f888d2-5c71-4682-8287-42613401fd5a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9WGG-M99Q-HHFC

Vulnerability from github – Published: 2023-12-19 23:12 – Updated: 2023-12-20 17:54
VLAI
Summary
Expired tokens can be renewed without validating the account password
Details

Impact

In versions of the proxy from 2022-09-05 onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credentials grant (CCG) flow authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first creating an account in the proxy).

An attacker with knowledge of valid account addresses and careful timing (specifically, attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.

This issue is only a security concern if you use the proxy with the CCG flow and no additional account secret encryption (see below). If this is the case, it is particularly important to update if you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or across a network). To fix the issue you should switch to version 2023-12-19 or later of the proxy immediately.

If you use this flow, but have also set encrypt_client_secret_on_first_use = True and removed the original client_secret value from the proxy's configuration file then this issue is not a concern.

For all other use-cases (e.g., a normal interactive account authentication, or the ROPCG flow), this issue is also not a concern. However, it is always recommended as best practice to keep the proxy up-to-date.

Patches

Email OAuth 2.0 Proxy version 2023-12-19 (commit eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa) fixes this issue.

Issue details

Because it was originally designed for use as an interactive, local-only service on a single device, the proxy automatically resets account access tokens if incorrect IMAP/POP/SMTP login details are provided. For public-facing deployments, the delete_account_token_on_password_error option is provided, and can be set to False to disable this behaviour, which would normally be only a nuisance, rather than a security risk.

Regardless of this option's value, the proxy encrypts locally-stored tokens, and requires interactive re-authentication (or, with the resource owner password credentials grant (ROPCG) flow, the correct remote account password) to renew tokens if they expire or are reset. The proxy's token retrieval implementation was created with this interactive process in mind.

The CCG flow is an administrator-level method that grants broad access without user knowledge or consent – no user interaction (or remote account password) is ever required. From 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f until the fix in eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa, when CCG tokens neared their expiry date (or had already expired), and the original unencrypted client_secret value was available they were automatically reset, renewed and encrypted with the given login password, but without checking whether that password was actually able to decrypt the existing token.

Detecting unauthorised access

If you do not use the OAuth 2.0 CCG flow (which is currently only known to be supported by O365), unauthorised account access was not possible.[^1] Attempts to exploit this flaw will be revealed in the same way as any other malicious access: an unexpected reauthorisation prompt from the proxy when trying to log in with the legitimate account details.

When using the CCG flow, if you have set delete_account_token_on_password_error = False, unauthorised access will be revealed by the presence of an unexpected login failure from the proxy when attempting to log in with the correct password.

It you have not set this value, it is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.

[^1]: If you are using a provider that does not provide an OAuth 2.0 refresh token (or have configured your account's scope so that this is not present), it is possible to trigger the line of code that caused this issue, but there is no way to use it for account access because interactive authentication is still required.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2023.11.18"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "emailproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2023.12.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-19T23:12:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nIn versions of the proxy from `2022-09-05` onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credentials grant (CCG) flow authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first creating an account in the proxy).\n\nAn attacker with knowledge of valid account addresses and careful timing (specifically, attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.\n\nThis issue is only a security concern if you use the proxy with the CCG flow and no additional account secret encryption (see below). If this is the case, it is particularly important to update if you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or across a network). To fix the issue you should switch to version [`2023-12-19`](https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19) or later of the proxy immediately.\n\nIf you use this flow, but have also set `encrypt_client_secret_on_first_use = True` *and* removed the original `client_secret` value from the proxy\u0027s configuration file then this issue is not a concern.\n\nFor all other use-cases (e.g., a normal interactive account authentication, or the ROPCG flow), this issue is also not a concern. However, it is always recommended as best practice to keep the proxy up-to-date.\n\n\n### Patches\n[Email OAuth 2.0 Proxy version `2023-12-19`](https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19) (commit eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa) fixes this issue.\n\n\n### Issue details\nBecause it was originally designed for use as an interactive, local-only service on a single device, the proxy automatically resets account access tokens if incorrect IMAP/POP/SMTP login details are provided. For public-facing deployments, the `delete_account_token_on_password_error` option is provided, and can be set to `False` to disable this behaviour, which would normally be only a nuisance, rather than a security risk.\n\nRegardless of this option\u0027s value, the proxy encrypts locally-stored tokens, and requires interactive re-authentication (or, with the resource owner password credentials grant (ROPCG) flow, the correct remote account password) to renew tokens if they expire or are reset. The proxy\u0027s token retrieval implementation was created with this interactive process in mind.\n\nThe CCG flow is an administrator-level method that grants broad access without user knowledge or consent \u2013 no user interaction (or remote account password) is ever required. From 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f until the fix in eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa, when CCG tokens neared their expiry date (or had already expired), and the original unencrypted `client_secret` value was available they were automatically reset, renewed and encrypted with the given login password, but without checking whether that password was actually able to decrypt the _existing_ token.\n\n\n### Detecting unauthorised access\nIf you do not use the OAuth 2.0 CCG flow (which is currently only known to be supported by O365), unauthorised account access was not possible.[^1] Attempts to exploit this flaw will be revealed in the same way as any other malicious access: an unexpected reauthorisation prompt from the proxy when trying to log in with the legitimate account details.\n\nWhen using the CCG flow, if you have set `delete_account_token_on_password_error = False`, unauthorised access will be revealed by the presence of an unexpected login failure from the proxy when attempting to log in with the correct password.\n\nIt you have not set this value, it is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.\n\n[^1]: If you are using a provider that does not provide an OAuth 2.0 refresh token (or have configured your account\u0027s scope so that this is not present), it is possible to trigger the line of code that caused this issue, but there is no way to use it for account access because interactive authentication is still required.",
  "id": "GHSA-9wgg-m99q-hhfc",
  "modified": "2023-12-20T17:54:54Z",
  "published": "2023-12-19T23:12:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simonrob/email-oauth2-proxy/security/advisories/GHSA-9wgg-m99q-hhfc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simonrob/email-oauth2-proxy/commit/8c874c2ff3d503ac20c7d32f46e08547fcb9e23f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simonrob/email-oauth2-proxy/commit/eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simonrob/email-oauth2-proxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Expired tokens can be renewed without validating the account password"
}

GHSA-C68V-2764-RF86

Vulnerability from github – Published: 2026-02-16 09:30 – Updated: 2026-02-16 09:30
VLAI
Details

A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-16T07:17:01Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-c68v-2764-rf86",
  "modified": "2026-02-16T09:30:30Z",
  "published": "2026-02-16T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/vichan.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.346152"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.346152"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.749716"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CC6X-8CC7-9953

Vulnerability from github – Published: 2024-11-05 15:08 – Updated: 2025-01-21 17:56
VLAI
Summary
OctoPrint has API key access in settings without reauthentication
Details

Impact

OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password.

An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.

Patches

The vulnerability will be patched in version 1.10.3.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.10.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "OctoPrint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-05T15:08:57Z",
    "nvd_published_at": "2024-11-05T19:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim\u0027s OctoPrint browser session to retrieve/recreate/delete the user\u0027s or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account\u0027s password. \n\nAn attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.\n\n### Patches\n\nThe vulnerability will be patched in version 1.10.3.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.",
  "id": "GHSA-cc6x-8cc7-9953",
  "modified": "2025-01-21T17:56:26Z",
  "published": "2024-11-05T15:08:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/9bc80d782d72881b16e20873dcd0b8314324c70c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OctoPrint/OctoPrint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-202.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OctoPrint has API key access in settings without reauthentication"
}

GHSA-CFW8-MQXQ-PP4X

Vulnerability from github – Published: 2025-04-30 21:31 – Updated: 2025-04-30 21:31
VLAI
Details

Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-30T19:15:54Z",
    "severity": "LOW"
  },
  "details": "Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI\nThis issue affects ANC software version 1.1.4 and earlier.",
  "id": "GHSA-cfw8-mqxq-pp4x",
  "modified": "2025-04-30T21:31:48Z",
  "published": "2025-04-30T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47784"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2CRT000006\u0026LanguageCode=en\u0026DocumentPartId=PDF\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F44Q-84CR-V374

Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 00:32
VLAI
Details

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T22:16:58Z",
    "severity": "HIGH"
  },
  "details": "Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.",
  "id": "GHSA-f44q-84cr-v374",
  "modified": "2026-06-26T00:32:04Z",
  "published": "2026-06-26T00:32:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71328"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/flowise-unverified-password-change-via-account-settings"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FF7M-H5F6-V93R

Vulnerability from github – Published: 2026-05-29 18:31 – Updated: 2026-05-29 18:31
VLAI
Details

The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T18:17:12Z",
    "severity": "CRITICAL"
  },
  "details": "The affected\u00a0KMW CCTV Security Cameras are\u00a0vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.",
  "id": "GHSA-ff7m-h5f6-v93r",
  "modified": "2026-05-29T18:31:36Z",
  "published": "2026-05-29T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json"
    },
    {
      "type": "WEB",
      "url": "https://main.kmw.ro/pub/Firmware/521_421.zip"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJH6-8679-9PCH

Vulnerability from github – Published: 2025-11-14 20:57 – Updated: 2025-11-14 20:57
VLAI
Summary
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
Details

Summary

Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password)

An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)

Details

Occurence - code: https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278

Remote and physical scenarios can be considered.

PoC

Repro steps: 1. As logged in user https://cloud.flowiseai.com/account scroll down to 'Security' section 2. Change password to the new password 3. Notice Unverified Password Change (authenticated change without current password)

POC: Password changed, and notice "Password updated" message.

Screenshot: secpw

Impact

Full account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data). User account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I've reported (similar security issue with the email - part of credentials). (gain persistence)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T20:57:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nBypass of Password Confirmation - Unverified Password Change (authenticated change without current password)\n\nAn authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor\u2019s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)\n\n### Details\nOccurence - code:\nhttps://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278 \n\nRemote and physical scenarios can be considered.\n\n### PoC\n**Repro steps:**\n1. As logged in user https://cloud.flowiseai.com/account scroll down to \u0027Security\u0027 section\n2. Change password to the new password\n3. Notice Unverified Password Change (authenticated change without current password)\n\n**POC:** \nPassword changed, and notice \"Password updated\" message.\n\n**Screenshot:**\n\u003cimg width=\"467\" height=\"526\" alt=\"secpw\" src=\"https://github.com/user-attachments/assets/4cc52978-9f37-42ca-a2b2-7285c4da9f1c\" /\u003e\n\n\n### Impact\nFull account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data).\nUser account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I\u0027ve reported (similar security issue with the email - part of credentials). (gain persistence)",
  "id": "GHSA-fjh6-8679-9pch",
  "modified": "2025-11-14T20:57:31Z",
  "published": "2025-11-14T20:57:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/pull/5294"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change"
}

GHSA-G494-R69F-J7VQ

Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31
VLAI
Details

A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T22:16:14Z",
    "severity": "HIGH"
  },
  "details": "A low-privileged user can bypass account credentials without confirming the user\u0027s current authentication state, which may lead to unauthorized privilege escalation.",
  "id": "GHSA-g494-r69f-j7vq",
  "modified": "2026-01-23T00:31:16Z",
  "published": "2026-01-23T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14751"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GF57-4MP6-M85X

Vulnerability from github – Published: 2026-06-26 17:33 – Updated: 2026-06-26 17:33
VLAI
Summary
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
Details

Summary

Description

An Unverified Password Change (CWE-620) and Use of Weak Credentials (CWE-1391) issue in OpenAM's OAuth2 authentication module silently rewrites a local user's password to the literal string of their username on OAuth2 re-login of an existing account. The default ldapService chain then accepts the username as the password for that user, allowing an unauthenticated attacker to obtain a session via the standard authenticate endpoint with both username and password set to the username, without any IdP interaction. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

Impact

OpenAM Community Edition deployments through version 16.0.6 that use the OAuth2 authentication module with account creation enabled (the default) are potentially affected. After two OAuth logins of a given user, that user's local password becomes their username, and the account is reachable through the default ldapService chain with username as both identifier and password. For pre-existing users whose IdP profile resolves against an existing local identifier, the rewrite fires on the very first re-login.

Usernames shorter than the default minimum password length have the rewrite silently denied (so very short administrative accounts are not affected), and the same update path marks accounts active on every OAuth login, silently reactivating disabled accounts.

Successful exploitation grants an unauthenticated attacker a session carrying the victim principal's privileges.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openidentityplatform.openam:openam-auth-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T17:33:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n**Description**\n\nAn Unverified Password Change (CWE-620) and Use of Weak Credentials (CWE-1391) issue in OpenAM\u0027s OAuth2 authentication module silently rewrites a local user\u0027s password to the literal string of their username on OAuth2 re-login of an existing account. The default ldapService chain then accepts the username as the password for that user, allowing an unauthenticated attacker to obtain a session via the standard authenticate endpoint with both username and password set to the username, without any IdP interaction. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.\n\n## Impact\nOpenAM Community Edition deployments through version 16.0.6 that use the OAuth2 authentication module with account creation enabled (the default) are potentially affected. After two OAuth logins of a given user, that user\u0027s local password becomes their username, and the account is reachable through the default ldapService chain with username as both identifier and password. For pre-existing users whose IdP profile resolves against an existing local identifier, the rewrite fires on the very first re-login.\n\nUsernames shorter than the default minimum password length have the rewrite silently denied (so very short administrative accounts are not affected), and the same update path marks accounts active on every OAuth login, silently reactivating disabled accounts. \n\nSuccessful exploitation grants an unauthenticated attacker a session carrying the victim principal\u0027s privileges.\n\n## Patch\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
  "id": "GHSA-gf57-4mp6-m85x",
  "modified": "2026-06-26T17:33:35Z",
  "published": "2026-06-26T17:33:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-gf57-4mp6-m85x"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenAM Account Takeover via Unverified Password Change in OAuth2 Module"
}

Mitigation
Architecture and Design

When prompting for a password change, force the user to provide the original password in addition to the new password.

Mitigation
Architecture and Design

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

No CAPEC attack patterns related to this CWE.