[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-56271":6},{"stargazers_count":4,"fetched_at":5},7,"2026-07-12T12:27:57.653Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":20,"aliases":21,"duplicate_of":9,"upstream":22,"downstream":23,"duplicates":24,"related":25,"reserved_at":9,"published_at":26,"modified_at":26,"state":27,"summary":28,"references_raw":35,"kevs":46,"epss":9,"epss_history":47,"metrics":48,"affected":56},"CVE-2026-56271","Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-321","Use of Hard-coded Cryptographic Key","The product uses a hard-coded, unchangeable cryptographic key.","weakness","Draft","Variant","High",[],[],[],[],[],[],[],"2026-07-12T12:06:32.246Z","PUBLISHED",{"cisa_kev":29,"cisa_ransomware":29,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":30,"severity_score":31,"severity_version":32,"severity_source":33,"severity_vector":34,"severity_status":27},false,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[36,41],{"url":37,"sources":38,"tags":39},"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cc4f-hjpj-g9p8",[33],[40],"Vendor Advisory",{"url":42,"sources":43,"tags":44},"https://www.vulncheck.com/advisories/flowise-weak-default-jwt-secrets-in-authentication-middleware",[33],[45],"Third Party Advisory",[],[],[49],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":50,"cvss_v4_0":53},{"baseScore":31,"baseSeverity":51,"vectorString":34,"impactScore":31,"exploitabilityScore":52},"CRITICAL",10,{"baseScore":54,"baseSeverity":51,"vectorString":55,"impactScore":9,"exploitabilityScore":9},9.3,"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[57],{"ecosystem":9,"name":58,"vendor":59,"product":59,"cpe_part":60,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":61},"Flowise","flowise","a",[62],{"version":63,"is_range":64,"range_type":33,"version_start":9,"version_start_type":9,"version_end":65,"version_end_type":66,"fixed_in":9},"\u003C 3.1.0",true,"3.1.0","excluding"]