CVE-2026-56271
Flowise · Flowise
Flowise versions prior to 3.1.0 utilize hardcoded default JWT secrets, allowing unauthenticated remote attackers to forge authentication tokens and impersonate any user, including administrators.
Executive summary
Flowise prior to version 3.1.0 contains a critical authentication bypass vulnerability due to hardcoded default JWT secrets, allowing attackers to gain full administrative access.
Vulnerability
The application uses hardcoded JWT secrets and default configuration values within the enterprise passport middleware. If environment variables are not explicitly set, the system reverts to these known defaults, enabling unauthenticated attackers to forge valid authentication tokens.
Business impact
This vulnerability provides an attacker with the ability to bypass all authentication mechanisms, leading to full administrative compromise of the Flowise instance. This can result in unauthorized data access, manipulation of workflows, and potential exfiltration of sensitive information, justifying the 9.8 CVSS severity rating.
Remediation
Immediate Action: Update Flowise to version 3.1.0 or later immediately. Ensure that all JWT environment variables are explicitly set to unique, cryptographically strong values.
Proactive Monitoring: Audit logs for suspicious administrative activity or successful logins from unknown or unauthorized entities.
Compensating Controls: Ensure that the Flowise instance is not exposed to the public internet without an additional layer of authentication or proxy-based access control.
Exploitation status
Public Exploit Available: No confirmed public weaponized exploit.
Analyst recommendation
Administrators must prioritize the update to version 3.1.0 to invalidate the reliance on default secrets. Additionally, verify that your production environment has unique secret keys defined in the configuration to prevent accidental fallback to default values.