N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-jc5m-wrp2-qq38

GHSA-jc5m-wrp2-qq38: Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

Summary

The /api/v1/account/forgot-password endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.

Vulnerability Details

| Field | Value | |-------|-------| | CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | | Affected File | packages/server/src/enterprise/services/account.service.ts (lines 517-545) | | Endpoint | POST /api/v1/account/forgot-password | | Authentication | None required | | CVSS 3.1 | 3.7 (Low) |

Root Cause

In account.service.ts, the forgotPassword method returns the sanitized user object instead of a simple success acknowledgment:

public async forgotPassword(data: AccountDTO) {
    // ...
    const user = await this.userService.readUserByEmail(data.user.email, queryRunner)
    if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND)

    data.user = user
    // ... password reset logic ...

    return sanitizeUser(data.user)  // Returns user object with PII
}

The sanitizeUser function only removes sensitive authentication fields:

export function sanitizeUser(user: Partial<User>) {
    delete user.credential    // password hash
    delete user.tempToken     // reset token
    delete user.tokenExpiry

    return user  // Still contains: id, name, email, status, createdDate, updatedDate
}

Impact

An unauthenticated attacker can:

Harvest PII: Collect user IDs, full names, and account metadata
Profile users: Determine account creation dates and activity patterns
Enumerate accounts: Confirm email existence and gather associated data
Enable further attacks: Use harvested data for social engineering or targeted phishing

Exploitation

curl -X POST "https://cloud.flowiseai.com/api/v1/account/forgot-password" \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"victim@example.com"}}'

Evidence

Request:

POST /api/v1/account/forgot-password HTTP/1.1
Host: cloud.flowiseai.com
Content-Type: application/json

{"user":{"email":"vefag54010@naprb.com"}}

Response (201 Created):

{
    "id": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
    "name": "Vefag naprb",
    "email": "vefag54010@naprb.com",
    "status": "active",
    "createdDate": "2026-01-17T15:21:59.152Z",
    "updatedDate": "2026-01-17T15:35:06.492Z",
    "createdBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12",
    "updatedBy": "56c3fc72-4e85-49c9-a4b5-d1a46b373a12"
}

Exposed Data

| Field | Risk | |-------|------| | id | Internal user UUID - enables targeted attacks | | name | Full name - PII disclosure | | email | Email confirmation | | status | Account state information | | createdDate | User profiling | | updatedDate | Activity tracking | | createdBy / updatedBy | Internal reference leak |

Expected Behavior

A secure forgot-password endpoint should return a generic response regardless of whether the email exists:

{"message": "If this email exists, a password reset link has been sent."}

References

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-jc5m-wrp2-qq38

GHSA-jc5m-wrp2-qq38:

N/A

CVSS Score

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flowise	npm	<= 3.0.12	3.0.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis identified an information disclosure flaw in Flowise's password management functionality. The root cause was located in the account.service.ts file, where the forgotPassword and resetPassword methods within the AccountService class were returning a user object, even after sanitization, which exposed sensitive Personally Identifiable Information (PII). The provided commit patch confirms this vulnerability by replacing the return of the user object (sanitizeUser(data.user)) with a generic success message ({ message: 'success' }). This change prevents unauthenticated attackers from harvesting user data through the forgot password endpoint. The resetPassword function was also patched, indicating a similar vulnerability existed there. The identified vulnerable functions, AccountService.forgotPassword and AccountService.resetPassword, would be the key indicators in a runtime profile during an exploitation attempt.

Vulnerable functions

AccountService.forgotPassword

packages/server/src/enterprise/services/account.service.ts

The `forgotPassword` method returned a sanitized user object that still contained Personally Identifiable Information (PII). An unauthenticated attacker could exploit this by sending a request to the `/api/v1/account/forgot-password` endpoint with a known email address, thereby obtaining sensitive user data. The patch mitigates this by returning a generic success message instead of the user object.

AccountService.resetPassword

packages/server/src/enterprise/services/account.service.ts

Similar to the `forgotPassword` method, the `resetPassword` method also returned a sanitized user object containing PII. An attacker with a valid reset token could potentially exploit this to gain access to user information. The patch addresses this by returning a generic success message, preventing the data leak.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-jc5m-wrp2-qq38: Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

Summary

Vulnerability Details

Root Cause

Impact

Exploitation

Evidence

Exposed Data

Expected Behavior

References

GHSA-jc5m-wrp2-qq38:

N/A

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

N/A

N/A

Basic Information

Basic Information

GHSA-jc5m-wrp2-qq38: Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

Summary

Vulnerability Details

Root Cause

Impact

Exploitation

Evidence

Exposed Data

Expected Behavior

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI