CVE-2026-56271 in Flowise
Summary
by MITRE • 07/12/2026
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/12/2026
This vulnerability resides in Flowise versions 3.0.13 and earlier where the enterprise passport authentication middleware implements a critical security flaw through the use of hardcoded default values for JSON Web Token (JWT) secrets and metadata. The application fails to enforce proper environment variable configuration for authentication parameters, specifically JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER. When these variables remain unset, the system automatically defaults to predictable values including 'auth_token', 'refresh_token', 'AUDIENCE', and 'ISSUER' which are publicly documented and easily discoverable through standard security research methodologies.
The technical implementation of this vulnerability stems from weak cryptographic practices and inadequate input validation within the authentication middleware. According to CWE-327, this represents a use of a broken or weak cryptographic algorithm where hardcoded secrets provide no meaningful security boundary. The flaw operates at the application layer and directly impacts the authentication mechanism by allowing attackers to generate valid JWT tokens without proper authorization. This occurs because the default secrets are not only publicly known but also remain unchanged across deployments, creating a persistent attack surface that requires no specialized knowledge or tools beyond basic reconnaissance.
The operational impact of this vulnerability is severe and encompasses complete authentication bypass capabilities within the affected system. An attacker who discovers these hardcoded values can forge JWT tokens to assume any user identity including administrative accounts, effectively providing unrestricted access to all system functionalities. This represents a critical privilege escalation vector that violates fundamental security principles of least privilege and separation of duties as outlined in the MITRE ATT&CK framework under the credential access and privilege escalation domains. The vulnerability allows for persistent access to sensitive data and system resources without detection, making it particularly dangerous in enterprise environments.
Mitigation strategies must address both immediate remediation and long-term architectural improvements to prevent similar issues. Organizations should immediately update to Flowise version 3.1.0 or later where this vulnerability has been resolved through proper environment variable validation and the removal of hardcoded secrets. Security configurations must enforce explicit setting of all JWT-related environment variables with strong, randomly generated values that are unique per deployment. Additionally, implementing runtime checks for missing environment variables and failing securely when required parameters are not properly configured will prevent silent fallback to insecure defaults. Organizations should also conduct comprehensive security audits of their application deployments to identify any other hardcoded secrets or weak cryptographic implementations that may expose similar attack vectors.