CVE-2026-56271 in Flowiseinformation

Résumé

par MITRE • 12/07/2026

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsable

VulnCheck

Réserver

20/06/2026

Divulgation

12/07/2026

Modérer

accepté

Entrée

VDB-377863

CPE

prêt

EPSS

0.00000

KEV

non

Activités

faible

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!