Description
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Published: 2026-06-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise before version 3.0.13 has an information exposure flaw in the POST /api/v1/account/forgot-password endpoint that returns complete user objects—including personally identifiable information—to anyone who can reach the endpoint. The data leaked includes user IDs, names, account status, and timestamps. This vulnerability is classified as CWE-200 and carries a CVSS score of 6.9, indicating moderate severity.

Affected Systems

The flaw affects deployments of Flowise:Flowise running any version earlier than 3.0.13. Users of older releases that expose the forgot‑password API to the internet are vulnerable.

Risk and Exploitability

Because authentication is not required to invoke the endpoint, an attacker can supply any email address in a POST request and obtain the corresponding user record if the address exists. The lack of an EPSS score and absence from the KEV catalog suggest that widespread exploitation is not yet documented, but the straightforward attack path and moderate CVSS score present a tangible risk to confidentiality.」

Generated by OpenCVE AI on June 20, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.0.13 or newer
  • Restrict the /api/v1/account/forgot-password endpoint to trusted networks or authenticated users
  • Implement rate limiting or monitoring for unusual password‑reset requests

Generated by OpenCVE AI on June 20, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Title Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-200
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:43.347Z

Reserved: 2026-06-20T01:47:54.000Z

Link: CVE-2026-56267

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor