CVE-2026-56267— Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-56267
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-56267
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-56267
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-56267 (1)
Other References for CVE-2026-56267 (1)
Same Patch Batch · Flowise · 2026-06-20 · 4 CVEs total
| CVE-2024-58351 | 9.8 CRITICAL | Flowise - Remote Code Execution via overrideConfig Parameter |
| CVE-2025-71331 | 6.1 MEDIUM | Flowise - Cross-Site Scripting in Chat Messages and Agent Workflows |
| CVE-2026-56276 | Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override |
IV. Related Vulnerabilities
Same product: Flowise
- CVE-2025-71338
Flowise - Arbitrary File Write to Remote Code Execution via - CVE-2025-71336
Flowise - Unsandboxed Remote Code Execution via Custom MCP - CVE-2025-71334
Flowise - Arbitrary File Access via Missing Chat Flow ID Val - CVE-2025-71335
Flowise - Session Invalidation Failure After Password Change - CVE-2025-71333
Flowise - Arbitrary File Upload via Unauthenticated /api/v1/
Same vendor: Flowise
- CVE-2025-71336
Flowise - Unsandboxed Remote Code Execution via Custom MCP - CVE-2025-71338
Flowise - Arbitrary File Write to Remote Code Execution via - CVE-2025-71334
Flowise - Arbitrary File Access via Missing Chat Flow ID Val - CVE-2025-71335
Flowise - Session Invalidation Failure After Password Change - CVE-2025-71333
Flowise - Arbitrary File Upload via Unauthenticated /api/v1/
Same weakness: CWE-200
- CVE-2026-57231
Podman: Malformed Image can trick podman run into leaking ho - CVE-2026-55180
pnpm: Repository config can expand victim environment secret - CVE-2026-50017
pnpm binds unscoped user-level npm auth credentials to a rep - CVE-2026-52815
Gogs: Unauthenticated Organization Teams Information Disclos - CVE-2026-53949
Ghost Content API filter bypass reveals private fields
V. Comments for CVE-2026-56267
No comments yet