CVE-2026-2095

9.8 CRITICAL

Published 2026-02-10 · Modified 2026-02-10 · Received

Quick Summary

A critical flaw in Flowring's Agentflow software allows attackers to bypass login entirely. They can get any user's login token and access the system without a password.

Who is affected

All unpatched Agentflow systems are affected. An attacker could log in as any user, including administrators, to steal data or take full control.

Recommended fix

Immediately apply the security patch provided by Flowring. If a patch is not available, isolate the Agentflow system from the internet as a temporary mitigation.

Technical Description

Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-288

References

https://forum.flowring.com/post/view?bid=72&id=45611&tpg=1&ppg=1&sty=1#45939
https://www.twcert.org.tw/en/cp-139-10700-3534d-2.html
https://www.twcert.org.tw/tw/cp-132-10699-49c0b-1.html