CVE Catalog

CVE-2026-56278

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

Flowise before version 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set. Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

Risk Assessment

The risk for the organization is the potential for complete authentication bypass, allowing an attacker to impersonate any user, including administrators, and gain unauthorized access to sensitive data and system functions.

Recommendation

Immediately update Flowise to version 3.1.0 or later and set a strong, unique value for the EXPRESS_SESSION_SECRET environment variable.

Original NVD description (English source)

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS