Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint
Description
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The forgot-password endpoint returns the full user object (including PII) instead of a generic success message."
Attack vector
An unauthenticated attacker sends a POST request to `/api/v1/account/forgot-password` with a JSON body containing a known email address (e.g., `{"user":{"email":"victim@example.com"}}`). The endpoint returns the full user object including `id`, `name`, `email`, `status`, `createdDate`, and `updatedDate` [ref_id=1]. This allows the attacker to enumerate valid email addresses and harvest PII without any authentication [CWE-200].
Affected code
The vulnerable endpoint is `POST /api/v1/account/forgot-password` in `packages/server/src/enterprise/services/account.service.ts` (lines 517-545). The `forgotPassword` method returns the full user object via `sanitizeUser()` instead of a generic success message.
What the fix does
The patch modifies the `forgotPassword` method in `account.service.ts` to return a generic success message (e.g., `{"message": "If this email exists, a password reset link has been sent."}`) instead of the sanitized user object [ref_id=1]. This prevents disclosure of PII regardless of whether the email exists, eliminating the information exposure.
Preconditions
- authNo authentication required; the endpoint is publicly accessible
- inputAttacker must know or guess a valid email address registered in the system
- networkAttacker sends a POST request to the forgot-password endpoint
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38mitrevendor-advisory
- www.vulncheck.com/advisories/flowise-pii-disclosure-via-unauthenticated-forgot-password-endpointmitrethird-party-advisory
News mentions
0No linked articles in our index yet.