PT-2026-57552 · Flowise · Flowise

Kolega-Ai-Dev

·

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-56271

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0
Description The enterprise passport authentication middleware in packages/server/src/enterprise/middleware/passport/index.ts uses weak hardcoded default secrets and values for audience and issuer. When the environment variables JWT AUTH TOKEN SECRET, JWT REFRESH TOKEN SECRET, JWT AUDIENCE, and JWT ISSUER are not configured, the application falls back to publicly known defaults. This allows an attacker to forge valid JSON Web Tokens (JWTs)—a compact, URL-safe means of representing claims to be transferred between two parties—and impersonate any user, including administrators, leading to a full authentication bypass and instance takeover.
Recommendations Update to version 3.1.0. Set the environment variables JWT AUTH TOKEN SECRET, JWT REFRESH TOKEN SECRET, JWT AUDIENCE, and JWT ISSUER to secure, unique values.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56271

Affected Products

Flowise