DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-JC5M-WRP2-QQ38: GHSA-jc5m-wrp2-qq38: PII Disclosure via Flowise Forgot Password Endpoint

#security #cve #cybersecurity #ghsa

GHSA-jc5m-wrp2-qq38: PII Disclosure via Flowise Forgot Password Endpoint

Vulnerability ID: GHSA-JC5M-WRP2-QQ38
CVSS Score: 7.5
Published: 2026-03-05

A significant information disclosure vulnerability exists in Flowise versions 3.0.5 and earlier, specifically within the unauthenticated password recovery workflow. The application incorrectly returns full user objects in API responses when verifying email addresses, leaking Personally Identifiable Information (PII) such as full names, internal UUIDs, account status, and creation timestamps to remote attackers.

TL;DR

The Flowise /api/v1/account/forgot-password endpoint leaks user details (ID, name, status) in the HTTP response body. This allows unauthenticated attackers to enumerate valid users and harvest PII by submitting email addresses.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Network (API)
  • CVSS Score: 7.5 (High)
  • Authentication: None Required
  • Impact: PII Disclosure
  • Status: Patched

Affected Systems

  • Flowise <= 3.0.5
  • Flowise: <= 3.0.5 (Fixed in: 3.0.6)

Code Analysis

Commit: 9e178d6

Fix forgot password vulnerability by removing user object from response

Unknown
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Flowise to version 3.0.6 or later immediately.
  • Implement generic responses for all authentication-related endpoints.
  • Monitor logs for burst traffic to the forgot-password endpoint.
  • Restrict API access to trusted networks if public access is not required.

Remediation Steps:

  1. Pull the latest Docker image: docker pull flowiseai/flowise:latest
  2. Verify the version is >= 3.0.6 in the application settings or startup logs.
  3. If running from source, checkout the main branch or the specific tag v3.0.6 and rebuild the application.
  4. Review application logs for suspicious activity on /api/v1/account/forgot-password prior to the patch date to identify potential compromise.

References

Read the full report for GHSA-JC5M-WRP2-QQ38 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)