FlowiseAI Flowise User Controller Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in FlowiseAI Flowise versions through 3.0.12. The issue resides in the User Controller Handler, where the absence of proper authorization checks on the 'userId', 'organizationId', 'workspaceId', and 'email' query parameters allows authenticated users to access data they should not be able to. This vulnerability can be exploited remotely, leading to unauthorized access to user profiles and organizational data.

Impact

Exploitation of this vulnerability allows any authenticated user to bypass authorization checks and access sensitive data across the Flowise instance. This includes reading user profiles, enumerating organization memberships, and mapping workspace structures, potentially leading to targeted attacks against specific users or teams.

Reproduction

To reproduce this vulnerability, log into a Flowise instance with an account. Then, send a GET request to the '/api/v1/user' endpoint with an email query parameter. The response will include user data, confirming the authorization bypass. This can be further exploited by using the returned user ID to access organization and workspace membership information through the respective API endpoints.