ByteOS Network

NVD Vulnerability Details :

CVE-2026-56267

Deferred

Source-disclosure@vulncheck.com

Published At-20 Jun, 2026 | 16:17

Updated At-22 Jun, 2026 | 19:17

Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	6.9	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
			N/A

Type: Secondary

Version: 4.0

Base score: 6.9

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: N/A

Version:

Base score:

Base severity: N/A

Vector:

Weaknesses

CWE ID	Type	Source
CWE-200	Secondary	disclosure@vulncheck.com

CWE ID: CWE-200

Type: Secondary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/flowise-pii-disclosure-via-unauthenticated-forgot-password-endpoint	disclosure@vulncheck.com	N/A
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A