GHSA-x5w6-38gp-mrqh: Flowise: Password Reset Link Sent Over Unsecured HTTP
Summary
Flowise's password reset feature sends reset links over HTTP (an unencrypted protocol) instead of HTTPS (encrypted protocol), allowing attackers on the same network (like public Wi-Fi) to intercept the link through a man-in-the-middle attack (where someone secretly reads data between two parties) and take over user accounts.
Solution / Mitigation
The source states: 'Ensure all sensitive URLs, especially password reset links, are generated and transmitted over secure https:// endpoints only.' It also recommends using HTTPS in all password-related email links and implementing HSTS (HTTP Strict Transport Security, a setting that forces browsers to use encrypted connections).
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-x5w6-38gp-mrqh
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%