Information Exposure Vulnerability in Flowise by FlowiseAI
CVE-2026-56267

6.9MEDIUM

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56267?

Flowise prior to version 3.0.13 is susceptible to an information exposure vulnerability within the POST /api/v1/account/forgot-password endpoint. This flaw allows unauthenticated attackers to retrieve full user objects, disclosing personally identifiable information (PII) such as user IDs, names, account statuses, and timestamps. By exploiting this vulnerability, attackers can enumerate valid email addresses and harvest sensitive data, posing a significant risk to user privacy.

Affected Version(s)

Flowise 0 < 3.0.13

Flowise 3.0.13

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-pii-disclosu...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

tenbbughunters

CVE-2026-56267 Data

JSON