CVE-2026-56271
PUBLISHED
Published: 12 Jul 2026, 12:06
Last modified:12 Jul 2026, 12:06
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
12 Jul 2026, 12:06
Published
Vulnerability first disclosed
Description
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.
CVSS Metrics
- v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Techniques & Countermeasures
- CWE-321•Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.
Affected Systems
- flowise•flowise
< 3.1.0