CVE-2026-56272:
Flowise Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-56272 is a weak password hashing vulnerability in FlowiseAI's Flowise, an open-source low-code AI workflow builder. The flaw stems from the use of bcrypt with a default salt round value of 5, providing only 32 iterations — far below the OWASP-recommended minimum of 10 rounds (1,024 iterations). All Flowise versions before 3.0.13 are affected. It was published on June 24, 2026, with a patch released in version 3.0.13. The vulnerability carries a CVSS v3.1 base score of 4.1 (Medium) and a CVSS v4.0 base score of 5.6 (Medium) (GitHub Advisory, Feedly).
Técnicas
The root cause is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort). The vulnerable code resides in packages/server/src/enterprise/utils/encryption.util.ts (lines 5–7), where the getHash() function calls bcrypt.genSaltSync() with a default value of 5 if the PASSWORD_SALT_HASH_ROUNDS environment variable is not explicitly set. The same weak default is also used in the resetPassword function in account.service.ts:568. With 5 salt rounds, modern GPUs can compute approximately 300,000 bcrypt hashes per second compared to ~10,000 hashes/second at 10 rounds — a roughly 30x speed advantage for an attacker performing offline cracking after obtaining the database (GitHub Advisory).
Impacto
In a database breach scenario, an attacker who obtains the Flowise user database can crack password hashes approximately 30 times faster than would be possible with properly configured bcrypt, potentially compromising all user accounts. The impact is limited to confidentiality (no integrity or availability impact), and exploitation requires prior access to the database — either through a separate breach or unauthorized database access. Cracked credentials could then be used for account takeover, unauthorized access to AI workflows, and potential lateral movement if users reuse passwords across systems (GitHub Advisory, Feedly).
Pasos de explotación
- Obtain database access: Gain unauthorized access to the Flowise database through a separate vulnerability, misconfiguration, or insider threat — this is a prerequisite for exploitation.
- Extract password hashes: Query the user table to retrieve bcrypt password hashes stored with 5 salt rounds (identifiable by the
$2b$05$prefix in the hash string). - Configure cracking tool: Load the extracted hashes into a GPU-accelerated password cracking tool such as Hashcat (mode
-m 3200for bcrypt) or John the Ripper. - Execute offline brute-force/dictionary attack: Run the cracking tool against the hashes using wordlists (e.g., rockyou.txt) or rule-based mutations. The 5-round bcrypt configuration allows ~300,000 hashes/second on modern GPUs, enabling significantly faster cracking than properly configured instances.
- Use cracked credentials: Authenticate to the Flowise application or other services where users may have reused passwords, gaining unauthorized access to AI workflows, API keys, and connected integrations (GitHub Advisory).
Indicadores de compromiso
- Database: Presence of bcrypt password hashes with the prefix
$2b$05$in the Flowise user table, indicating hashes generated with only 5 salt rounds. - Logs: Unusual or repeated authentication attempts against the Flowise application following a suspected database exposure event; login activity from unexpected IP addresses or geographic locations.
- Configuration: Absence of the
PASSWORD_SALT_HASH_ROUNDSenvironment variable in the Flowise deployment configuration, confirming the insecure default of 5 rounds is in use. - File System: Unexpected database dump files or export artifacts in the Flowise server environment that may indicate unauthorized data exfiltration (GitHub Advisory).
Mitigación y soluciones alternativas
Upgrade Flowise to version 3.0.13 or later, which addresses the insecure default by increasing the bcrypt salt rounds. For deployments that cannot immediately upgrade, set the PASSWORD_SALT_HASH_ROUNDS environment variable to at least 10 (OWASP minimum) or 12 (recommended for better security-performance balance). Note that existing password hashes generated at 5 rounds remain vulnerable even after increasing the environment variable — users should be prompted to reset their passwords to force re-hashing with the new configuration. Additionally, implement account lockout policies, rate limiting on authentication endpoints, and restrict database access to minimize exposure in breach scenarios (GitHub Advisory, Feedly).
Reacciones de la comunidad
The vulnerability was discovered via a Kolega.dev Deep Code Scan and reported by the kolega-ai-dev team, with faizan@kolega.ai credited as the reporter. The GitHub Security Advisory was published by igor-magun-wd on March 5, 2026, and assigned a Moderate severity rating. No significant broader media coverage or notable social media commentary has been identified beyond standard vulnerability database aggregation (GitHub Advisory).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Flowise Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."