Weak Password Recovery Mechanism for Forgotten Password Affecting @workflow/core package, versions <4.2.0-beta.64
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Weak Password Recovery Mechanism for Forgotten Password vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-WORKFLOWCORE-15440578
- published8 Mar 2026
- disclosed6 Mar 2026
- creditPranay Prakash
Introduced: 6 Mar 2026
CVE NOT AVAILABLE CWE-640 (opens in a new tab)How to fix?
Upgrade @workflow/core to version 4.2.0-beta.64 or higher.
Overview
@workflow/core is a Core runtime and engine for Workflow DevKit
Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the createWebhook function. An attacker can gain unauthorized access to workflow execution by guessing predictable tokens and injecting arbitrary payloads through the public webhook endpoint. This can lead to unintended actions such as triggering API calls, database modifications, or deployments.
Workaround
This vulnerability can be mitigated by avoiding the use of predictable or guessable values for the token parameter in createWebhook. Alternatively, switch to createHook and resume hooks programmatically using resumeHook, or use createWebhook without a user-provided token to ensure a random value is used.