CVE-2026-56271
CRITICAL
9.8
CVSS 3.1
Description
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.
Metadata
Severity & Metrics
9.8
CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Flowise | Flowise | — | 0 < 3.1.0, 3.1.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-321 | cna | Use of Hard-coded Cryptographic Key |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 9.8 | CRITICAL | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 9.3 | CRITICAL | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (2)
- GitHub Security Advisory (GHSA-cc4f-hjpj-g9p8) https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cc4f-hjpj-g9p8
- VulnCheck Advisory: Flowise - Weak Default JWT Secrets in Authentication Middleware https://www.vulncheck.com/advisories/flowise-weak-default-jwt-secrets-in-authentication-middleware