Executive Summary

CVE-2026-56267 is an information exposure vulnerability in Flowise versions before 3.0.13. It affects the POST /api/v1/account/forgot-password endpoint, which improperly returns full user objects containing personally identifiable information (PII) to unauthenticated attackers.

An attacker can send requests with known email addresses to this endpoint and receive detailed user data such as user IDs, names, account status, email addresses, and timestamps. This allows attackers to enumerate valid accounts and harvest sensitive user information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information, including PII such as user IDs, names, emails, account status, and timestamps.

Attackers can use this information to enumerate valid user accounts and profile users, which may facilitate further malicious activities like social engineering, phishing attacks, or targeted exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending POST requests to the /api/v1/account/forgot-password endpoint with known or suspected email addresses and observing the response.

If the response returns full user objects containing personally identifiable information (PII) such as user IDs, names, account status, and timestamps instead of a generic success message, the system is vulnerable.

A sample command using curl to test this would be:

• curl -X POST https://your-target-domain/api/v1/account/forgot-password -H "Content-Type: application/json" -d '{"email":"[email protected]"}'

If the response includes detailed user information rather than a generic confirmation, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.13 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider restricting access to the /api/v1/account/forgot-password endpoint to authenticated users only or implementing rate limiting and monitoring to detect suspicious enumeration attempts.

Additionally, review logs for unusual activity related to password reset requests and alert on patterns that may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes personally identifiable information (PII) such as user IDs, names, email addresses, account status, and timestamps to unauthenticated attackers. Such exposure of sensitive user data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and security of PII.

By allowing attackers to enumerate valid email addresses and harvest sensitive user data, the vulnerability increases the risk of privacy breaches, unauthorized data access, and potential misuse of personal information, all of which are critical concerns under these regulations.

Useful 0 Not Useful 0