Submit #777659: FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)info

TitelFlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)
Beschreibung# Technical Details An Unauthenticated Credential Hash Exposure vulnerability exists in the `verify()` method in `packages/server/src/enterprise/services/account.service.ts` of FlowiseAI Flowise. The POST /api/v1/account/verify endpoint is in WHITELIST_URLS and requires no authentication. The verify() method loads the full User entity including the credential column via readUserByToken(), then returns the entire unsanitized object to the HTTP response. This is an incomplete fix for PR #5167 (commit 9e178d6) which correctly applied sanitizeUser() to resetPassword() and updateUser() but missed verify(). # Vulnerable Code File: packages/server/src/enterprise/services/account.service.ts (lines 507-530) Method: verify() Why: The function loads the full user entity with readUserByToken(), assigns it to data.user, saves it, and returns data — all without calling sanitizeUser() or deleting the credential field. The endpoint is whitelisted in constants.ts line 30 and requires no authentication. # Reproduction 1. Deploy Flowise: docker run -d --name flowise-verify -p 3000:3000 flowiseai/flowise:latest 2. Register an account. 3. Set a verification token in the database (simulating email verification flow). 4. Call the unauthenticated endpoint: POST /api/v1/account/verify with {"user":{"tempToken":"<token>"}} 5. The response contains the full user object including the bcrypt credential hash. # Impact - Unauthenticated attacker can retrieve bcrypt password hashes via valid tempToken. - Offline password cracking with hashcat/john. - Credential stuffing against other services. - Every user who verifies their email receives their hash in the browser network tab.
Quelle⚠️ https://gist.github.com/YLChen-007/1d52497b0221835f99367be61612746b
Benutzer
 Eric-a (UID 96353)
Einreichung11.03.2026 15:01 (vor 3 Monaten)
Moderieren06.05.2026 09:40 (2 months later)
StatusAkzeptiert
VulDB Eintrag361276 [FlowiseAI Flowise bis 3.0.12 Endpoint account.service.ts verify Information Disclosure]
Punkte20

ZurückÜbersichtWeiter

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!