Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override

An authenticated attacker sends a `PUT /api/v1/user` request with a crafted JSON body containing their user ID and a pre-computed bcrypt hash in the `credential` field. Because the endpoint does not filter incoming fields, the supplied hash overwrites the stored password hash without requiring the old password, bypassing password change verification, hashing enforcement, policy validation, and session invalidation [ref_id=1]. This allows an attacker who has temporarily obtained a victim's session (e.g., via XSS or token theft) to permanently take over the account [ref_id=1].

The vulnerability resides in the `PUT /api/v1/user` endpoint. The controller forwards the entire request body to `userService.updateUser(req.body)` without filtering, and `UserService.updateUser` merges all fields into the existing user entity via `queryRunner.manager.merge(User, oldUserData, newUserData)`. No field allowlist is applied, so sensitive fields such as `credential`, `tempToken`, `tokenExpiry`, `status`, and `email` can be directly overwritten [ref_id=1].

The advisory does not provide a patch diff, but the recommended fix is to implement a field allowlist in the `PUT /api/v1/user` endpoint so that only permitted fields (e.g., name, email) are accepted from the request body, and to enforce the secure password change workflow (requiring `oldPassword`, `newPassword`, and `confirmPassword`) for any credential update [ref_id=1]. Without such filtering, the `merge` operation blindly applies all user-supplied fields, including the `credential` hash.