CVE-2026-56271 PUBLISHED

Flowise - Weak Default JWT Secrets in Authentication Middleware

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 12.07.2026 Updated: 12.07.2026

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Flowise
Product Flowise
Versions Default: unaffected
  • affected from 0 to 3.1.0 (excl.)
  • Version 3.1.0 is unaffected

Credits

  • kolega-ai-dev reporter

References

Problem Types

  • Use of Hard-coded Cryptographic Key CWE