GHSA-jc5m-wrp2-qq38: Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

March 5, 2026

The /api/v1/account/forgot-password endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38
github.com/advisories/GHSA-jc5m-wrp2-qq38

Code Behaviors & Features

Detect and mitigate GHSA-jc5m-wrp2-qq38 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →