CVE-2026-2096

9.8 CRITICAL

Published 2026-02-10 · Modified 2026-02-10 · Received

Quick Summary

Agentflow software from Flowring lacks any authentication for a key function. This means anyone on the network can directly interact with its database without needing a password.

Who is affected

Any organization using the vulnerable Agentflow software is affected. An attacker could steal, alter, or erase all data in the application's database.

Recommended fix

Immediately apply the security patch provided by Flowring. If a patch is not available, restrict network access to the Agentflow system as a critical temporary measure.

Technical Description

Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-288

References

https://forum.flowring.com/post/view?bid=72&id=45611&tpg=1&ppg=1&sty=1#45939
https://www.twcert.org.tw/en/cp-139-10700-3534d-2.html
https://www.twcert.org.tw/tw/cp-132-10699-49c0b-1.html