47 matches found
PT-2026-36114
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description When the software is started with the --features-disabled=account,account-api flag, the Account REST API is only partially disabled. Five endpoints under the versioned path "/account/v1alpha...
Flowise AccountService resetPassword Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. The issue results from improper...
CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
Flowise: resetPassword Authentication Bypass Vulnerability
ZDI-CAN-28762: Flowise AccountService resetPassword Authentication Bypass Vulnerability -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise -- VULNERABILITY DETAILS...
GHSA-F6HC-C5JR-878P Flowise: resetPassword Authentication Bypass Vulnerability
ZDI-CAN-28762: Flowise AccountService resetPassword Authentication Bypass Vulnerability -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise -- VULNERABILITY DETAILS...
Cleartext Transmission of Sensitive Information
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information through the AccountService in account.service.ts. An attacker can cause password reset, verification, registration, and invite emails to contain http:// links...
PT-2026-24745
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Account REST API of Keycloak that allows a user authenticated with a lower security level to perform sensitive actions intended only for higher-assurance sessions. An...
EUVD-2026-10055
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated...
Rocket.Chat 安全漏洞
Rocket.Chat is a chat software developed by the Rocket.Chat company. There were security vulnerabilities in versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0. These vulnerabilities stemmed from the direct embedding of MongoDB query selectors into user inputs in the account...
PT-2026-23738
Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 7.10.8 Rocket.Chat versions prior to 7.11.5 Rocket.Chat versions prior to 7.12.5 Rocket.Chat versions prior to 7.13.4 Rocket.Chat versions prior to 8.0.2 Rocket.Chat versions prior to 8.1.1 Rocket.Chat versions...
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
Summary The /api/v1/account/forgot-password endpoint returns the full user object including PII id, name, email, status, timestamps in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email...
GHSA-JC5M-WRP2-QQ38 Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
Summary The /api/v1/account/forgot-password endpoint returns the full user object including PII id, name, email, status, timestamps in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email...
EUVD-2019-3825
Malware in sbrugna...
CVE-2025-24868
The User Account and Authentication service UAA for SAP HANA extended application services, advanced model SAP HANA XS advanced model allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirec...
Ubuntu 资源管理错误漏洞
Canonical Ubuntu is a GNU/Linux operating system from the British company Canonical that focuses on desktop applications. Ubuntu suffers from a security vulnerability that stems from the Account Service incorrectly handling certain messages, which can be exploited by a local attacker to cause a...
SUSE CVE-2012-6655
An issue exists AccountService 0.6.37 in the userchangepasswordauthorizedcb function in user.c which could let a local users obtain encrypted passwords...
SUSE CVE-2020-16125
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu and potentially derivatives this could be be chained with an additional issue that could allow a local user to create a new privileged...
gdm: inability to timely contact accountservice via dbus leads gnome-initial-setup to creation of account with admin privileges
A vulnerability was found in GDM. If gdm can't contact the AccountService service via DBus in a timely manner it would default to assume there are no existing users and would allow the attacker to create a new user with high privileges...
UBUNTU-CVE-2020-16125
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu and potentially derivatives this could be be chained with an additional issue that could allow a local user to create a new privileged...