Weak JWT Secrets in Flowise Product by FlowiseAI
CVE-2026-56271

9.3CRITICAL

Key Information:

Vendor

Flowise

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-56271?

Flowise versions prior to 3.1.0 utilize weak hardcoded default JWT secrets and other critical values for authentication. If the necessary environment variables are not configured, the application defaults to these insecure settings, enabling potential attackers to create valid JWT tokens. This could result in unauthorized user impersonation, including administrative accounts, thereby allowing attackers to bypass security measures effectively.

Affected Version(s)

Flowise 0 < 3.1.0

Flowise 3.1.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

kolega-ai-dev
.