Flowise Unauthenticated Password Reset Token Disclosure Vulnerability Allowing Account Takeover

A vulnerability exists in Flowise versions through 3.0.5, both in the cloud service and self-hosted deployments, where the 'forgot-password' endpoint discloses sensitive information, including a valid password reset 'tempToken', without any authentication or verification. This flaw enables attackers to generate reset tokens for arbitrary users and directly reset their passwords, resulting in complete account takeover. The issue arises because the endpoint responds with sensitive user details, including the 'tempToken' and its expiry, which can be immediately used to reset passwords without email verification or user interaction.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to account takeovers. This includes access to sensitive data and the ability to impersonate the user, potentially with administrative privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/account/forgot-password' endpoint with an email address. The response will include a 'tempToken' that can be used to reset the password for that account. This process can be automated or performed manually, and does not require any authentication or verification.

Remediation

Users are advised to update to Flowise version 3.0.6 or later, where this vulnerability has been addressed. For those using self-hosted deployments, ensure that the update is applied and the same security measures are implemented as recommended for the cloud service.