CVE-2026-56267
Deferred Deferred - Pending Action

Flowise Information Exposure via Unauthenticated Forgot-Password Endpoint

Vulnerability report for CVE-2026-56267, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
flowiseai flowise to 3.0.13 (exc)
flowiseai flowise 3.0.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56267 is an information exposure vulnerability in Flowise versions before 3.0.13. It affects the POST /api/v1/account/forgot-password endpoint, which improperly returns full user objects containing personally identifiable information (PII) to unauthenticated attackers.

An attacker can send requests with known email addresses to this endpoint and receive detailed user data such as user IDs, names, account status, email addresses, and timestamps. This allows attackers to enumerate valid accounts and harvest sensitive user information.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information, including PII such as user IDs, names, emails, account status, and timestamps.

Attackers can use this information to enumerate valid user accounts and profile users, which may facilitate further malicious activities like social engineering, phishing attacks, or targeted exploitation.

Detection Guidance

This vulnerability can be detected by sending POST requests to the /api/v1/account/forgot-password endpoint with known or suspected email addresses and observing the response.

If the response returns full user objects containing personally identifiable information (PII) such as user IDs, names, account status, and timestamps instead of a generic success message, the system is vulnerable.

A sample command using curl to test this would be:

  • curl -X POST https://your-target-domain/api/v1/account/forgot-password -H "Content-Type: application/json" -d '{"email":"[email protected]"}'

If the response includes detailed user information rather than a generic confirmation, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.13 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider restricting access to the /api/v1/account/forgot-password endpoint to authenticated users only or implementing rate limiting and monitoring to detect suspicious enumeration attempts.

Additionally, review logs for unusual activity related to password reset requests and alert on patterns that may indicate exploitation attempts.

Compliance Impact

This vulnerability exposes personally identifiable information (PII) such as user IDs, names, email addresses, account status, and timestamps to unauthenticated attackers. Such exposure of sensitive user data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and security of PII.

By allowing attackers to enumerate valid email addresses and harvest sensitive user data, the vulnerability increases the risk of privacy breaches, unauthorized data access, and potential misuse of personal information, all of which are critical concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart