CVE-2026-56267 | Flowise before 3.0.13 contains an information exposure vulne… | CVSS 6.9 MEDIUM

Description

Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.

Metadata

CVE ID: CVE-2026-56267
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 01:47 UTC
Published: 2026-06-20 15:24 UTC
Last updated: 2026-06-20 15:24 UTC
Primary CWE: CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Vendor / Product: Flowise / Flowise
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
Flowise	Flowise	—	0 < 3.0.13, 3.0.13

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

References (2)

GHSA Advisory GHSA-jc5m-wrp2-qq38 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38
VulnCheck Advisory: Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint https://www.vulncheck.com/advisories/flowise-pii-disclosure-via-unauthenticated-forgot-password-endpoint