๐Ÿ” CVE Alert

CVE-2026-56278

CRITICAL 9.1

Flowise - Session Hijacking via Weak Default Express Session Secret

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

CWE CWE-798
Vendor flowise
Product flowise
Published Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new critical vulnerabilities affecting flowise flowise are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

Flowise / Flowise
0 < 3.1.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2qqc-p94c-hxwh vulncheck.com: https://www.vulncheck.com/advisories/flowise-session-hijacking-via-weak-default-express-session-secret

Credits

๐Ÿ” kolega-ai-dev