CVE-2026-56278
Flowise - Session Hijacking via Weak Default Express Session Secret
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
| CWE | CWE-798 |
| Vendor | flowise |
| Product | flowise |
| Published | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for flowise flowise
Be the first to know when new critical vulnerabilities affecting flowise flowise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
Flowise / Flowise
0 < 3.1.0
References
Credits
๐ kolega-ai-dev