NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-56267

Summary	Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Publication Date	June 21, 2026, 1:17 a.m.
Registration Date	June 27, 2026, 4:07 a.m.
Last Update	June 23, 2026, 4:17 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38	disclosure@vulncheck.com
2	https://www.vulncheck.com/advisories/flowise-pii-disclosure-via-unauthenticated-forgot-password-endpoint	disclosure@vulncheck.com
3	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List