| Título | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) |
|---|
| Descrição | # Technical Details
An Unauthenticated Credential Hash Exposure vulnerability exists in the `verify()` method in `packages/server/src/enterprise/services/account.service.ts` of FlowiseAI Flowise.
The POST /api/v1/account/verify endpoint is in WHITELIST_URLS and requires no authentication. The verify() method loads the full User entity including the credential column via readUserByToken(), then returns the entire unsanitized object to the HTTP response. This is an incomplete fix for PR #5167 (commit 9e178d6) which correctly applied sanitizeUser() to resetPassword() and updateUser() but missed verify().
# Vulnerable Code
File: packages/server/src/enterprise/services/account.service.ts (lines 507-530)
Method: verify()
Why: The function loads the full user entity with readUserByToken(), assigns it to data.user, saves it, and returns data — all without calling sanitizeUser() or deleting the credential field. The endpoint is whitelisted in constants.ts line 30 and requires no authentication.
# Reproduction
1. Deploy Flowise: docker run -d --name flowise-verify -p 3000:3000 flowiseai/flowise:latest
2. Register an account.
3. Set a verification token in the database (simulating email verification flow).
4. Call the unauthenticated endpoint: POST /api/v1/account/verify with {"user":{"tempToken":"<token>"}}
5. The response contains the full user object including the bcrypt credential hash.
# Impact
- Unauthenticated attacker can retrieve bcrypt password hashes via valid tempToken.
- Offline password cracking with hashcat/john.
- Credential stuffing against other services.
- Every user who verifies their email receives their hash in the browser network tab. |
|---|
| Fonte | ⚠️ https://gist.github.com/YLChen-007/1d52497b0221835f99367be61612746b |
|---|
| Utilizador | Eric-a (UID 96353) |
|---|
| Submissão | 11/03/2026 15h01 (há 3 meses) |
|---|
| Moderação | 06/05/2026 09h40 (2 months later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 361276 [FlowiseAI Flowise até 3.0.12 Endpoint account.service.ts verify Divulgação de Informação] |
|---|
| Pontos | 20 |
|---|