PT-2026-51150 · Flowise · Flowise
Tenbbughunters
·
Published
2026-06-20
·
Updated
2026-06-20
·
CVE-2026-56267
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.0.13
Description
An information exposure issue exists in the 'POST /api/v1/account/forgot-password' endpoint. Unauthenticated attackers can enumerate valid email addresses and harvest sensitive user data, including PII (Personally Identifiable Information), user IDs, names, account status, and timestamps, by sending requests with known email addresses. This occurs because the endpoint returns full user objects.
Recommendations
Update to version 3.0.13 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowise