CWE-620
AllowedUnverified Password Change
Abstraction: Base · Status: Draft
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
157 vulnerabilities reference this CWE, most recent first.
GHSA-974C-VF2R-989V
Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-13 00:00Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.
{
"affected": [],
"aliases": [
"CVE-2022-3152"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-07T15:15:00Z",
"severity": "HIGH"
},
"details": "Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.",
"id": "GHSA-974c-vf2r-989v",
"modified": "2022-09-13T00:00:35Z",
"published": "2022-09-08T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3152"
},
{
"type": "WEB",
"url": "https://github.com/phpfusion/phpfusion/commit/57c96d4a0c00e8e1e25100087654688123c6e991"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/b3f888d2-5c71-4682-8287-42613401fd5a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WGG-M99Q-HHFC
Vulnerability from github – Published: 2023-12-19 23:12 – Updated: 2023-12-20 17:54Impact
In versions of the proxy from 2022-09-05 onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credentials grant (CCG) flow authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first creating an account in the proxy).
An attacker with knowledge of valid account addresses and careful timing (specifically, attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.
This issue is only a security concern if you use the proxy with the CCG flow and no additional account secret encryption (see below). If this is the case, it is particularly important to update if you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or across a network). To fix the issue you should switch to version 2023-12-19 or later of the proxy immediately.
If you use this flow, but have also set encrypt_client_secret_on_first_use = True and removed the original client_secret value from the proxy's configuration file then this issue is not a concern.
For all other use-cases (e.g., a normal interactive account authentication, or the ROPCG flow), this issue is also not a concern. However, it is always recommended as best practice to keep the proxy up-to-date.
Patches
Email OAuth 2.0 Proxy version 2023-12-19 (commit eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa) fixes this issue.
Issue details
Because it was originally designed for use as an interactive, local-only service on a single device, the proxy automatically resets account access tokens if incorrect IMAP/POP/SMTP login details are provided. For public-facing deployments, the delete_account_token_on_password_error option is provided, and can be set to False to disable this behaviour, which would normally be only a nuisance, rather than a security risk.
Regardless of this option's value, the proxy encrypts locally-stored tokens, and requires interactive re-authentication (or, with the resource owner password credentials grant (ROPCG) flow, the correct remote account password) to renew tokens if they expire or are reset. The proxy's token retrieval implementation was created with this interactive process in mind.
The CCG flow is an administrator-level method that grants broad access without user knowledge or consent – no user interaction (or remote account password) is ever required. From 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f until the fix in eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa, when CCG tokens neared their expiry date (or had already expired), and the original unencrypted client_secret value was available they were automatically reset, renewed and encrypted with the given login password, but without checking whether that password was actually able to decrypt the existing token.
Detecting unauthorised access
If you do not use the OAuth 2.0 CCG flow (which is currently only known to be supported by O365), unauthorised account access was not possible.[^1] Attempts to exploit this flaw will be revealed in the same way as any other malicious access: an unexpected reauthorisation prompt from the proxy when trying to log in with the legitimate account details.
When using the CCG flow, if you have set delete_account_token_on_password_error = False, unauthorised access will be revealed by the presence of an unexpected login failure from the proxy when attempting to log in with the correct password.
It you have not set this value, it is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.
[^1]: If you are using a provider that does not provide an OAuth 2.0 refresh token (or have configured your account's scope so that this is not present), it is possible to trigger the line of code that caused this issue, but there is no way to use it for account access because interactive authentication is still required.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2023.11.18"
},
"package": {
"ecosystem": "PyPI",
"name": "emailproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2023.12.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-19T23:12:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nIn versions of the proxy from `2022-09-05` onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credentials grant (CCG) flow authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first creating an account in the proxy).\n\nAn attacker with knowledge of valid account addresses and careful timing (specifically, attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.\n\nThis issue is only a security concern if you use the proxy with the CCG flow and no additional account secret encryption (see below). If this is the case, it is particularly important to update if you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or across a network). To fix the issue you should switch to version [`2023-12-19`](https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19) or later of the proxy immediately.\n\nIf you use this flow, but have also set `encrypt_client_secret_on_first_use = True` *and* removed the original `client_secret` value from the proxy\u0027s configuration file then this issue is not a concern.\n\nFor all other use-cases (e.g., a normal interactive account authentication, or the ROPCG flow), this issue is also not a concern. However, it is always recommended as best practice to keep the proxy up-to-date.\n\n\n### Patches\n[Email OAuth 2.0 Proxy version `2023-12-19`](https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19) (commit eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa) fixes this issue.\n\n\n### Issue details\nBecause it was originally designed for use as an interactive, local-only service on a single device, the proxy automatically resets account access tokens if incorrect IMAP/POP/SMTP login details are provided. For public-facing deployments, the `delete_account_token_on_password_error` option is provided, and can be set to `False` to disable this behaviour, which would normally be only a nuisance, rather than a security risk.\n\nRegardless of this option\u0027s value, the proxy encrypts locally-stored tokens, and requires interactive re-authentication (or, with the resource owner password credentials grant (ROPCG) flow, the correct remote account password) to renew tokens if they expire or are reset. The proxy\u0027s token retrieval implementation was created with this interactive process in mind.\n\nThe CCG flow is an administrator-level method that grants broad access without user knowledge or consent \u2013 no user interaction (or remote account password) is ever required. From 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f until the fix in eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa, when CCG tokens neared their expiry date (or had already expired), and the original unencrypted `client_secret` value was available they were automatically reset, renewed and encrypted with the given login password, but without checking whether that password was actually able to decrypt the _existing_ token.\n\n\n### Detecting unauthorised access\nIf you do not use the OAuth 2.0 CCG flow (which is currently only known to be supported by O365), unauthorised account access was not possible.[^1] Attempts to exploit this flaw will be revealed in the same way as any other malicious access: an unexpected reauthorisation prompt from the proxy when trying to log in with the legitimate account details.\n\nWhen using the CCG flow, if you have set `delete_account_token_on_password_error = False`, unauthorised access will be revealed by the presence of an unexpected login failure from the proxy when attempting to log in with the correct password.\n\nIt you have not set this value, it is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.\n\n[^1]: If you are using a provider that does not provide an OAuth 2.0 refresh token (or have configured your account\u0027s scope so that this is not present), it is possible to trigger the line of code that caused this issue, but there is no way to use it for account access because interactive authentication is still required.",
"id": "GHSA-9wgg-m99q-hhfc",
"modified": "2023-12-20T17:54:54Z",
"published": "2023-12-19T23:12:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/simonrob/email-oauth2-proxy/security/advisories/GHSA-9wgg-m99q-hhfc"
},
{
"type": "WEB",
"url": "https://github.com/simonrob/email-oauth2-proxy/commit/8c874c2ff3d503ac20c7d32f46e08547fcb9e23f"
},
{
"type": "WEB",
"url": "https://github.com/simonrob/email-oauth2-proxy/commit/eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa"
},
{
"type": "PACKAGE",
"url": "https://github.com/simonrob/email-oauth2-proxy"
},
{
"type": "WEB",
"url": "https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Expired tokens can be renewed without validating the account password"
}
GHSA-C68V-2764-RF86
Vulnerability from github – Published: 2026-02-16 09:30 – Updated: 2026-02-16 09:30A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-2543"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-16T07:17:01Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-c68v-2764-rf86",
"modified": "2026-02-16T09:30:30Z",
"published": "2026-02-16T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2543"
},
{
"type": "WEB",
"url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/vichan.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.346152"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.346152"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.749716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CC6X-8CC7-9953
Vulnerability from github – Published: 2024-11-05 15:08 – Updated: 2025-01-21 17:56Impact
OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password.
An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.
Patches
The vulnerability will be patched in version 1.10.3.
Credits
This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.2"
},
"package": {
"ecosystem": "PyPI",
"name": "OctoPrint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-51493"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-05T15:08:57Z",
"nvd_published_at": "2024-11-05T19:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim\u0027s OctoPrint browser session to retrieve/recreate/delete the user\u0027s or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account\u0027s password. \n\nAn attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.\n\n### Patches\n\nThe vulnerability will be patched in version 1.10.3.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.",
"id": "GHSA-cc6x-8cc7-9953",
"modified": "2025-01-21T17:56:26Z",
"published": "2024-11-05T15:08:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51493"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/commit/9bc80d782d72881b16e20873dcd0b8314324c70c"
},
{
"type": "PACKAGE",
"url": "https://github.com/OctoPrint/OctoPrint"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-202.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OctoPrint has API key access in settings without reauthentication"
}
GHSA-CFW8-MQXQ-PP4X
Vulnerability from github – Published: 2025-04-30 21:31 – Updated: 2025-04-30 21:31Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier.
{
"affected": [],
"aliases": [
"CVE-2024-47784"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T19:15:54Z",
"severity": "LOW"
},
"details": "Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI\nThis issue affects ANC software version 1.1.4 and earlier.",
"id": "GHSA-cfw8-mqxq-pp4x",
"modified": "2025-04-30T21:31:48Z",
"published": "2025-04-30T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47784"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2CRT000006\u0026LanguageCode=en\u0026DocumentPartId=PDF\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F44Q-84CR-V374
Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 00:32Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
{
"affected": [],
"aliases": [
"CVE-2025-71328"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T22:16:58Z",
"severity": "HIGH"
},
"details": "Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.",
"id": "GHSA-f44q-84cr-v374",
"modified": "2026-06-26T00:32:04Z",
"published": "2026-06-26T00:32:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71328"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/flowise-unverified-password-change-via-account-settings"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FF7M-H5F6-V93R
Vulnerability from github – Published: 2026-05-29 18:31 – Updated: 2026-05-29 18:31The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.
{
"affected": [],
"aliases": [
"CVE-2026-5386"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T18:17:12Z",
"severity": "CRITICAL"
},
"details": "The affected\u00a0KMW CCTV Security Cameras are\u00a0vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.",
"id": "GHSA-ff7m-h5f6-v93r",
"modified": "2026-05-29T18:31:36Z",
"published": "2026-05-29T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5386"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json"
},
{
"type": "WEB",
"url": "https://main.kmw.ro/pub/Firmware/521_421.zip"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJH6-8679-9PCH
Vulnerability from github – Published: 2025-11-14 20:57 – Updated: 2025-11-14 20:57Summary
Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password)
An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)
Details
Occurence - code: https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278
Remote and physical scenarios can be considered.
PoC
Repro steps: 1. As logged in user https://cloud.flowiseai.com/account scroll down to 'Security' section 2. Change password to the new password 3. Notice Unverified Password Change (authenticated change without current password)
POC: Password changed, and notice "Password updated" message.
Screenshot:
Impact
Full account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data). User account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I've reported (similar security issue with the email - part of credentials). (gain persistence)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "flowise-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T20:57:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nBypass of Password Confirmation - Unverified Password Change (authenticated change without current password)\n\nAn authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor\u2019s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)\n\n### Details\nOccurence - code:\nhttps://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278 \n\nRemote and physical scenarios can be considered.\n\n### PoC\n**Repro steps:**\n1. As logged in user https://cloud.flowiseai.com/account scroll down to \u0027Security\u0027 section\n2. Change password to the new password\n3. Notice Unverified Password Change (authenticated change without current password)\n\n**POC:** \nPassword changed, and notice \"Password updated\" message.\n\n**Screenshot:**\n\u003cimg width=\"467\" height=\"526\" alt=\"secpw\" src=\"https://github.com/user-attachments/assets/4cc52978-9f37-42ca-a2b2-7285c4da9f1c\" /\u003e\n\n\n### Impact\nFull account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data).\nUser account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I\u0027ve reported (similar security issue with the email - part of credentials). (gain persistence)",
"id": "GHSA-fjh6-8679-9pch",
"modified": "2025-11-14T20:57:31Z",
"published": "2025-11-14T20:57:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch"
},
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/pull/5294"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
},
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change"
}
GHSA-G494-R69F-J7VQ
Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-14751"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T22:16:14Z",
"severity": "HIGH"
},
"details": "A low-privileged user can bypass account credentials without confirming the user\u0027s current authentication state, which may lead to unauthorized privilege escalation.",
"id": "GHSA-g494-r69f-j7vq",
"modified": "2026-01-23T00:31:16Z",
"published": "2026-01-23T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14751"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GF57-4MP6-M85X
Vulnerability from github – Published: 2026-06-26 17:33 – Updated: 2026-06-26 17:33Summary
Description
An Unverified Password Change (CWE-620) and Use of Weak Credentials (CWE-1391) issue in OpenAM's OAuth2 authentication module silently rewrites a local user's password to the literal string of their username on OAuth2 re-login of an existing account. The default ldapService chain then accepts the username as the password for that user, allowing an unauthenticated attacker to obtain a session via the standard authenticate endpoint with both username and password set to the username, without any IdP interaction. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
Impact
OpenAM Community Edition deployments through version 16.0.6 that use the OAuth2 authentication module with account creation enabled (the default) are potentially affected. After two OAuth logins of a given user, that user's local password becomes their username, and the account is reachable through the default ldapService chain with username as both identifier and password. For pre-existing users whose IdP profile resolves against an existing local identifier, the rewrite fires on the very first re-login.
Usernames shorter than the default minimum password length have the rewrite silently denied (so very short administrative accounts are not affected), and the same update path marks accounts active on every OAuth login, silently reactivating disabled accounts.
Successful exploitation grants an unauthenticated attacker a session carrying the victim principal's privileges.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openidentityplatform.openam:openam-auth-oauth2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46623"
],
"database_specific": {
"cwe_ids": [
"CWE-1391",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T17:33:35Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Description**\n\nAn Unverified Password Change (CWE-620) and Use of Weak Credentials (CWE-1391) issue in OpenAM\u0027s OAuth2 authentication module silently rewrites a local user\u0027s password to the literal string of their username on OAuth2 re-login of an existing account. The default ldapService chain then accepts the username as the password for that user, allowing an unauthenticated attacker to obtain a session via the standard authenticate endpoint with both username and password set to the username, without any IdP interaction. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.\n\n## Impact\nOpenAM Community Edition deployments through version 16.0.6 that use the OAuth2 authentication module with account creation enabled (the default) are potentially affected. After two OAuth logins of a given user, that user\u0027s local password becomes their username, and the account is reachable through the default ldapService chain with username as both identifier and password. For pre-existing users whose IdP profile resolves against an existing local identifier, the rewrite fires on the very first re-login.\n\nUsernames shorter than the default minimum password length have the rewrite silently denied (so very short administrative accounts are not affected), and the same update path marks accounts active on every OAuth login, silently reactivating disabled accounts. \n\nSuccessful exploitation grants an unauthenticated attacker a session carrying the victim principal\u0027s privileges.\n\n## Patch\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
"id": "GHSA-gf57-4mp6-m85x",
"modified": "2026-06-26T17:33:35Z",
"published": "2026-06-26T17:33:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-gf57-4mp6-m85x"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenIdentityPlatform/OpenAM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenAM Account Takeover via Unverified Password Change in OAuth2 Module"
}
Mitigation
When prompting for a password change, force the user to provide the original password in addition to the new password.
Mitigation
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
No CAPEC attack patterns related to this CWE.