๐Ÿ” CVE Alert

CVE-2026-56271

CRITICAL 9.8

Flowise - Weak Default JWT Secrets in Authentication Middleware

CVSS Score
9.8
EPSS Score
0.4%
EPSS Percentile
32th

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

CWE CWE-321
Vendor flowise
Product flowise
Published Jul 12, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new critical vulnerabilities affecting flowise flowise are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Flowise / Flowise
0 < 3.1.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cc4f-hjpj-g9p8 vulncheck.com: https://www.vulncheck.com/advisories/flowise-weak-default-jwt-secrets-in-authentication-middleware

Credits

๐Ÿ” kolega-ai-dev