Flowise 3.0.12: Forgot-Password Endpoint Exposes PII
CVE-2026-56267 Published on June 20, 2026
Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-56267 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2026-56267
Want to know whenever a new CVE is published for Flowiseai Flowise? stack.watch will email you.
Affected Versions
Flowise:- Before 3.0.13 is affected.
- Version 3.0.13 is unaffected.