An authentication bypass in Flowise allows unauthenticated attackers to register arbitrary accounts, granting full API access and compromising system security.

The /api/v1/account/register endpoint lacks necessary authentication checks, permitting any remote, unauthenticated user to successfully register an account. This grants the attacker full API access to the underlying application.

With a CVSS score of 9.1, this vulnerability allows unauthorized actors to gain administrative-level access to the Flowise system. This leads to complete loss of confidentiality and integrity, as attackers can manage workflows, access sensitive data, and potentially pivot to other integrated systems.

Immediate Action: Apply the latest security update from the vendor to enforce proper authentication on the registration endpoint.

Proactive Monitoring: Audit the user account database for unauthorized or suspicious registrations created since the deployment of the affected version.

Compensating Controls: Restrict access to the /api/v1/account/register endpoint via network-level controls or a WAF if the registration feature is not required for public use.

Public Exploit Available: N/A

The ability for an unauthenticated user to register an account constitutes a critical security failure. Administrators should verify current user lists immediately and deploy the vendor's patch to prevent further unauthorized account creation.