CVE-2025-58434

Name of the Vulnerable Software and Affected Versions Flowise versions 3.0.5 and earlier

Description The forgot-password endpoint returns sensitive information, including a valid password reset tempToken, without requiring authentication or verification. This allows a remote attacker to generate a reset token for any user and reset their password, leading to a complete account takeover (ATO). This issue affects both the cloud service (cloud.flowiseai.com) and self-hosted or local deployments. Specifically, the endpoint '/api/v1/account/forgot-password' accepts an email address and responds with user details and a tempToken, which can then be used in the '/api/v1/account/reset-password' endpoint to change the password. Over 11,000 vulnerable instances have been identified.

Recommendations Update to version 3.0.6. Do not return reset tokens or sensitive account details in API responses; deliver tokens only via registered email. Configure the forgot-password endpoint to respond with a generic success message to prevent user enumeration. Implement strong validation for the tempToken, ensuring it is single-use, has a short expiry, is tied to the request origin, and is validated against email delivery. Log and monitor password reset requests for suspicious activity. Implement multi-factor verification for sensitive accounts.