Back to overview

CVE-2026-56271

CRITICAL
9.8
CVSS 3.1
Description
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

Metadata

CVE ID
CVE-2026-56271
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-20 01:47 UTC
Published
2026-07-12 12:06 UTC
Last updated
2026-07-12 12:06 UTC
Primary CWE
CWE-321
Use of Hard-coded Cryptographic Key
Vendor / Product
Flowise / Flowise
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
Flowise Flowise 0 < 3.1.0, 3.1.0
Weakness (CWE)
CWESourceDescription
CWE-321 cna Use of Hard-coded Cryptographic Key
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (2)
Back to overview