Flowise – PII Disclosure on Unauthenticated Forgot Password Endpoint

20/04/2026

The /api/v1/account/forgot-password endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.

Joshua Martinelle Mon, 04/20/2026 – 10:51
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Flowise – PII Disclosure on Unauthenticated Forgot Password Endpoint

Latest article

Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware

CVE-2025-9403 jqlang jq JSON jq_test.c run_jq_tests assertion

ZenBusiness – 5,118,184 breached accounts

Microsoft Shell Spoofing Zero-day Vulnerability

EDITOR PICKS

Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware

CVE-2025-9403 jqlang jq JSON jq_test.c run_jq_tests assertion

ZenBusiness – 5,118,184 breached accounts

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware

CVE-2025-9403 jqlang jq JSON jq_test.c run_jq_tests assertion

ZenBusiness – 5,118,184 breached accounts