Session Hijacking in Flowise Product by FlowiseAI
CVE-2026-56278
9.3CRITICAL
What is CVE-2026-56278?
The Flowise product, particularly versions up to 3.0.13, is susceptible to session hijacking due to a hardcoded weak default secret used in the express-session middleware. When the EXPRESS_SESSION_SECRET environment variable is unset, this default secret becomes accessible in the source code. Consequently, this allows attackers to forge valid signed session cookies, enabling them to impersonate any user and bypass the authentication mechanisms. It is crucial for users of Flowise to upgrade to version 3.1.0 or later to mitigate this security risk.
Affected Version(s)
Flowise 0 < 3.1.0
Flowise 3.1.0
