GHSA-59fh-9f3p-7m39: Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential (password hash), bypassing the intended password change workflow.
Because the endpoint forwards the entire request body to the service layer without filtering, an attacker can override the credential field without providing the current password.
This bypasses several security protections including:
- old password verification
- password hashing enforcement
- password policy validation
- session invalidation on password change
While the vulnerability cannot be used to modify other users due to an ID check in the controller, it allows attackers who obtain a temporary session (e.g., via token theft or XSS) to establish persistent account access.
References
Code Behaviors & Features
Detect and mitigate GHSA-59fh-9f3p-7m39 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →