Weak JWT Secrets in Flowise Product by FlowiseAI
CVE-2026-56271
9.3CRITICAL
What is CVE-2026-56271?
Flowise versions prior to 3.1.0 utilize weak hardcoded default JWT secrets and other critical values for authentication. If the necessary environment variables are not configured, the application defaults to these insecure settings, enabling potential attackers to create valid JWT tokens. This could result in unauthorized user impersonation, including administrative accounts, thereby allowing attackers to bypass security measures effectively.
Affected Version(s)
Flowise 0 < 3.1.0
Flowise 3.1.0
