Home

Description

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-12 | Updated 2026-07-13 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Use of Hard-coded Cryptographic Key

Product status

Default status
unaffected

Any version before 3.1.0
affected

3.1.0 (semver)
unaffected

Credits

kolega-ai-dev reporter

References

github.com/...lowise/security/advisories/GHSA-cc4f-hjpj-g9p8 (GitHub Security Advisory (GHSA-cc4f-hjpj-g9p8)) vendor-advisory

www.vulncheck.com/...wt-secrets-in-authentication-middleware (VulnCheck Advisory: Flowise - Weak Default JWT Secrets in Authentication Middleware) third-party-advisory

cve.org (CVE-2026-56271)

nvd.nist.gov (CVE-2026-56271)

Download JSON