CVE-2026-56278
Flowise · Flowise
Flowise uses a weak, hardcoded default secret for session management, enabling unauthenticated attackers to forge session cookies and hijack user accounts.
Executive summary
A critical authentication bypass vulnerability in Flowise allows attackers to forge session cookies due to the use of a weak, hardcoded default secret.
Vulnerability
The application falls back to a hardcoded string ("flowise") for the express-session middleware secret if the environment variable is not explicitly configured. This allows an unauthenticated remote attacker to craft valid, signed session cookies, effectively impersonating any user, including administrative accounts.
Business impact
The ability to forge sessions grants an attacker full access to the Flowise platform, potentially exposing sensitive workflows, API keys, and configuration data. With a CVSS score of 9.1, this vulnerability poses a high risk to the confidentiality and integrity of organizational automation processes.
Remediation
Immediate Action: Upgrade Flowise to version 3.1.0 or later and ensure the EXPRESS_SESSION_SECRET environment variable is set to a strong, unique, and random value.
Proactive Monitoring: Audit existing session logs for anomalous login activity or sessions originating from unexpected IP addresses.
Compensating Controls: Implement network-level access controls to restrict access to the Flowise management interface to authorized personnel only.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability highlights the danger of default configurations in security-critical software. Administrators must upgrade their instances and strictly enforce the use of custom, high-entropy session secrets to prevent unauthorized account takeover and potential data exfiltration.