CVE-2026-56271

Flowise · Flowise

Flowise versions prior to 3.1.0 utilize hardcoded default JWT secrets, allowing unauthenticated remote attackers to forge authentication tokens and impersonate any user, including administrators.

Executive summary

Flowise prior to version 3.1.0 contains a critical authentication bypass vulnerability due to hardcoded default JWT secrets, allowing attackers to gain full administrative access.

Vulnerability

The application uses hardcoded JWT secrets and default configuration values within the enterprise passport middleware. If environment variables are not explicitly set, the system reverts to these known defaults, enabling unauthenticated attackers to forge valid authentication tokens.

Business impact

This vulnerability provides an attacker with the ability to bypass all authentication mechanisms, leading to full administrative compromise of the Flowise instance. This can result in unauthorized data access, manipulation of workflows, and potential exfiltration of sensitive information, justifying the 9.8 CVSS severity rating.

Remediation

Immediate Action: Update Flowise to version 3.1.0 or later immediately. Ensure that all JWT environment variables are explicitly set to unique, cryptographically strong values.

Proactive Monitoring: Audit logs for suspicious administrative activity or successful logins from unknown or unauthorized entities.

Compensating Controls: Ensure that the Flowise instance is not exposed to the public internet without an additional layer of authentication or proxy-based access control.

Exploitation status

Public Exploit Available: No confirmed public weaponized exploit.

Analyst recommendation

Administrators must prioritize the update to version 3.1.0 to invalidate the reliance on default secrets. Additionally, verify that your production environment has unique secret keys defined in the configuration to prevent accidental fallback to default values.