Information disclosure in Flowise
CVE-2026-56267
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addr…
Vulnerability class: Information Disclosure
Affected products
- Flowise — versions 0, 3.0.13
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (third-party-advisory)