PT-2026-57552 · Flowise · Flowise
Kolega-Ai-Dev
·
Published
2026-07-12
·
Updated
2026-07-12
·
CVE-2026-56271
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.1.0
Description
The enterprise passport authentication middleware in
packages/server/src/enterprise/middleware/passport/index.ts uses weak hardcoded default secrets and values for audience and issuer. When the environment variables JWT AUTH TOKEN SECRET, JWT REFRESH TOKEN SECRET, JWT AUDIENCE, and JWT ISSUER are not configured, the application falls back to publicly known defaults. This allows an attacker to forge valid JSON Web Tokens (JWTs)—a compact, URL-safe means of representing claims to be transferred between two parties—and impersonate any user, including administrators, leading to a full authentication bypass and instance takeover.Recommendations
Update to version 3.1.0.
Set the environment variables
JWT AUTH TOKEN SECRET, JWT REFRESH TOKEN SECRET, JWT AUDIENCE, and JWT ISSUER to secure, unique values.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowise