Session Hijacking in Flowise Product by FlowiseAI
CVE-2026-56278

9.3CRITICAL

Key Information:

Vendor

Flowise

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-56278?

The Flowise product, particularly versions up to 3.0.13, is susceptible to session hijacking due to a hardcoded weak default secret used in the express-session middleware. When the EXPRESS_SESSION_SECRET environment variable is unset, this default secret becomes accessible in the source code. Consequently, this allows attackers to forge valid signed session cookies, enabling them to impersonate any user and bypass the authentication mechanisms. It is crucial for users of Flowise to upgrade to version 3.1.0 or later to mitigate this security risk.

Affected Version(s)

Flowise 0 < 3.1.0

Flowise 3.1.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

kolega-ai-dev
.