CVE-2026-56278
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
Flowise before version 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set. Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
Risk Assessment
The risk for the organization is the potential for complete authentication bypass, allowing an attacker to impersonate any user, including administrators, and gain unauthorized access to sensitive data and system functions.
Recommendation
Immediately update Flowise to version 3.1.0 or later and set a strong, unique value for the EXPRESS_SESSION_SECRET environment variable.
Original NVD description (English source)
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

