An unauthenticated attacker can bypass security controls in Agentflow to steal user tokens and log in as any user, including administrators, gaining full control over the system.

This vulnerability allows an unauthenticated remote attacker to exploit a specific functionality to generate or retrieve valid authentication tokens for any user in the system. This effectively bypasses the entire login mechanism.

With a CVSS score of 9.8, the business risk is extreme. An attacker can impersonate high-level executives or system administrators, gaining access to sensitive communications, proprietary workflows, and administrative settings. This leads to a total compromise of user identity and system integrity.

Immediate Action: Immediately apply the latest security updates from Flowring to resolve the token generation/retrieval flaw.

Proactive Monitoring: Audit user session logs for multiple concurrent logins from different geographic locations or for administrative logins from unrecognized devices.

Compensating Controls: Implement Multi-Factor Authentication (MFA) across the platform, which may provide an additional layer of defense even if a primary token is compromised.

Public Exploit Available: false

The severity of an authentication bypass cannot be overstated. Organizations must prioritize patching this vulnerability to prevent attackers from assuming the identities of legitimate users and compromising the entire organizational workflow managed by Agentflow.