CVE-2026-56267: Flowise PII exposure

CISO Take

Flowise's forgot-password endpoint returns complete user records — names, IDs, account status, and timestamps — to anyone who sends an unauthenticated POST request with a valid email address. For organizations running Flowise as their AI agent orchestration platform, this enables both systematic email enumeration and bulk PII harvesting across the entire Flowise user base with nothing more than an HTTP client. While no public exploit exists and the endpoint does not grant system access, the zero-authentication barrier combined with Flowise's history of 94 CVEs in the same package signals a systemic security posture concern that elevates this beyond a routine medium finding. Patch to Flowise 3.0.13 immediately; if patching is delayed, block or rate-limit POST /api/v1/account/forgot-password at the reverse proxy or WAF layer and audit logs for bulk enumeration activity.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium technical severity with elevated operational risk for internet-facing Flowise deployments. Exploitation requires zero authentication and no AI/ML knowledge — any HTTP client suffices, making this accessible to low-sophistication threat actors. Blast radius scales with deployment exposure: public-facing instances are at immediate risk of full user base enumeration, while internal deployments behind VPN or network controls have substantially lower exposure. The 94 prior CVEs in the flowise npm package indicate systemic security hygiene concerns; defenders should treat this as a signal to audit the full Flowise attack surface rather than patch this endpoint in isolation.

How does the attack unfold?

Reconnaissance

Adversary identifies a publicly accessible Flowise deployment via internet scanning or OSINT and confirms the /api/v1/account/forgot-password endpoint responds to unauthenticated POST requests.

AML.T0006

User Enumeration

Adversary sends automated POST requests to the forgot-password endpoint with email addresses sourced from corporate directories or LinkedIn, receiving full user objects for each valid account.

AML.T0087

PII Harvesting

Adversary collects names, user IDs, account statuses, and timestamps from API responses, building a targeted profile of the organization's AI platform administrators and workflow owners.

AML.T0049

Downstream Attack Enablement

Harvested identity data fuels targeted spearphishing against AI operations staff or credential stuffing attacks, with successful compromise yielding access to Flowise agent workflows, embedded LLM API keys, and connected tool credentials.

AML.T0052

Reconnaissance

Adversary identifies a publicly accessible Flowise deployment via internet scanning or OSINT and confirms the /api/v1/account/forgot-password endpoint responds to unauthenticated POST requests.

AML.T0006

User Enumeration

Adversary sends automated POST requests to the forgot-password endpoint with email addresses sourced from corporate directories or LinkedIn, receiving full user objects for each valid account.

AML.T0087

PII Harvesting

Adversary collects names, user IDs, account statuses, and timestamps from API responses, building a targeted profile of the organization's AI platform administrators and workflow owners.

AML.T0049

Downstream Attack Enablement

Harvested identity data fuels targeted spearphishing against AI operations staff or credential stuffing attacks, with successful compromise yielding access to Flowise agent workflows, embedded LLM API keys, and connected tool credentials.

AML.T0052

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch
Flowise	npm	—	No patch

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch to Flowise 3.0.13 or later immediately — the vendor-confirmed fix for this disclosure.
If immediate patching is blocked, add authentication or CAPTCHA requirements to POST /api/v1/account/forgot-password at the reverse proxy or WAF layer.
Rate-limit the forgot-password endpoint to prevent bulk enumeration (e.g., max 5 requests per IP per 15 minutes).
Review server access logs for repeated POST requests to /api/v1/account/forgot-password with varying email addresses — this pattern indicates active enumeration.
If enumeration activity is detected, notify affected users and rotate any API keys or credentials accessible via compromised Flowise accounts.
Given the 94 CVEs in the same package, conduct a broader Flowise endpoint audit for similar unauthenticated information disclosure patterns.

How is it classified?

Data Extraction Privacy Violation Agent AML.T0006 - Active Scanning AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing AML.T0087 - Gather Victim Identity Information

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - Information security in AI system development

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for AI risk

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-56267?

Flowise's forgot-password endpoint returns complete user records — names, IDs, account status, and timestamps — to anyone who sends an unauthenticated POST request with a valid email address. For organizations running Flowise as their AI agent orchestration platform, this enables both systematic email enumeration and bulk PII harvesting across the entire Flowise user base with nothing more than an HTTP client. While no public exploit exists and the endpoint does not grant system access, the zero-authentication barrier combined with Flowise's history of 94 CVEs in the same package signals a systemic security posture concern that elevates this beyond a routine medium finding. Patch to Flowise 3.0.13 immediately; if patching is delayed, block or rate-limit POST /api/v1/account/forgot-password at the reverse proxy or WAF layer and audit logs for bulk enumeration activity.

Is CVE-2026-56267 actively exploited?

No confirmed active exploitation of CVE-2026-56267 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56267?

1. Patch to Flowise 3.0.13 or later immediately — the vendor-confirmed fix for this disclosure. 2. If immediate patching is blocked, add authentication or CAPTCHA requirements to POST /api/v1/account/forgot-password at the reverse proxy or WAF layer. 3. Rate-limit the forgot-password endpoint to prevent bulk enumeration (e.g., max 5 requests per IP per 15 minutes). 4. Review server access logs for repeated POST requests to /api/v1/account/forgot-password with varying email addresses — this pattern indicates active enumeration. 5. If enumeration activity is detected, notify affected users and rotate any API keys or credentials accessible via compromised Flowise accounts. 6. Given the 94 CVEs in the same package, conduct a broader Flowise endpoint audit for similar unauthenticated information disclosure patterns.

What systems are affected by CVE-2026-56267?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Low-code AI orchestration platforms, Multi-agent systems.

What is the CVSS score for CVE-2026-56267?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLow-code AI orchestration platformsMulti-agent systems

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0049 Exploit Public-Facing Application

AML.T0052 Phishing

AML.T0087 Gather Victim Identity Information

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.

Exploitation Scenario

An adversary targeting an organization that uses Flowise for AI agent orchestration identifies a publicly accessible Flowise instance via internet scanning or OSINT. The attacker scripts automated POST requests to /api/v1/account/forgot-password using email addresses harvested from the company's LinkedIn employee list or corporate directory. Each valid email returns a full user object, confirming active accounts and exposing names, user IDs, and account status. The attacker builds a precision list of AI platform administrators and workflow owners, then launches spearphishing emails impersonating Flowise security alerts or admin notifications. Compromised credentials yield access to configured AI agent workflows, embedded LLM API keys, connected database credentials, and integrated tool configurations stored within Flowise.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.