CVE-2026-56272
Flowise Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-56272 is a weak password hashing vulnerability in FlowiseAI's Flowise, an open-source low-code AI workflow builder. The flaw stems from the use of bcrypt with a default salt round value of 5, providing only 32 iterations — far below the OWASP-recommended minimum of 10 rounds (1,024 iterations). All Flowise versions before 3.0.13 are affected. It was published on June 24, 2026, with a patch released in version 3.0.13. The vulnerability carries a CVSS v3.1 base score of 4.1 (Medium) and a CVSS v4.0 base score of 5.6 (Medium) (GitHub Advisory, Feedly).

Técnicas

The root cause is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort). The vulnerable code resides in packages/server/src/enterprise/utils/encryption.util.ts (lines 5–7), where the getHash() function calls bcrypt.genSaltSync() with a default value of 5 if the PASSWORD_SALT_HASH_ROUNDS environment variable is not explicitly set. The same weak default is also used in the resetPassword function in account.service.ts:568. With 5 salt rounds, modern GPUs can compute approximately 300,000 bcrypt hashes per second compared to ~10,000 hashes/second at 10 rounds — a roughly 30x speed advantage for an attacker performing offline cracking after obtaining the database (GitHub Advisory).

Impacto

In a database breach scenario, an attacker who obtains the Flowise user database can crack password hashes approximately 30 times faster than would be possible with properly configured bcrypt, potentially compromising all user accounts. The impact is limited to confidentiality (no integrity or availability impact), and exploitation requires prior access to the database — either through a separate breach or unauthorized database access. Cracked credentials could then be used for account takeover, unauthorized access to AI workflows, and potential lateral movement if users reuse passwords across systems (GitHub Advisory, Feedly).

Pasos de explotación

  1. Obtain database access: Gain unauthorized access to the Flowise database through a separate vulnerability, misconfiguration, or insider threat — this is a prerequisite for exploitation.
  2. Extract password hashes: Query the user table to retrieve bcrypt password hashes stored with 5 salt rounds (identifiable by the $2b$05$ prefix in the hash string).
  3. Configure cracking tool: Load the extracted hashes into a GPU-accelerated password cracking tool such as Hashcat (mode -m 3200 for bcrypt) or John the Ripper.
  4. Execute offline brute-force/dictionary attack: Run the cracking tool against the hashes using wordlists (e.g., rockyou.txt) or rule-based mutations. The 5-round bcrypt configuration allows ~300,000 hashes/second on modern GPUs, enabling significantly faster cracking than properly configured instances.
  5. Use cracked credentials: Authenticate to the Flowise application or other services where users may have reused passwords, gaining unauthorized access to AI workflows, API keys, and connected integrations (GitHub Advisory).

Indicadores de compromiso

  • Database: Presence of bcrypt password hashes with the prefix $2b$05$ in the Flowise user table, indicating hashes generated with only 5 salt rounds.
  • Logs: Unusual or repeated authentication attempts against the Flowise application following a suspected database exposure event; login activity from unexpected IP addresses or geographic locations.
  • Configuration: Absence of the PASSWORD_SALT_HASH_ROUNDS environment variable in the Flowise deployment configuration, confirming the insecure default of 5 rounds is in use.
  • File System: Unexpected database dump files or export artifacts in the Flowise server environment that may indicate unauthorized data exfiltration (GitHub Advisory).

Mitigación y soluciones alternativas

Upgrade Flowise to version 3.0.13 or later, which addresses the insecure default by increasing the bcrypt salt rounds. For deployments that cannot immediately upgrade, set the PASSWORD_SALT_HASH_ROUNDS environment variable to at least 10 (OWASP minimum) or 12 (recommended for better security-performance balance). Note that existing password hashes generated at 5 rounds remain vulnerable even after increasing the environment variable — users should be prompted to reset their passwords to force re-hashing with the new configuration. Additionally, implement account lockout policies, rate limiting on authentication endpoints, and restrict database access to minimize exposure in breach scenarios (GitHub Advisory, Feedly).

Reacciones de la comunidad

The vulnerability was discovered via a Kolega.dev Deep Code Scan and reported by the kolega-ai-dev team, with faizan@kolega.ai credited as the reporter. The GitHub Security Advisory was published by igor-magun-wd on March 5, 2026, and assigned a Moderate severity rating. No significant broader media coverage or notable social media commentary has been identified beyond standard vulnerability database aggregation (GitHub Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Flowise Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-56278CRITICAL9.3
  • Flowise logoFlowise
  • flowise
NoJun 30, 2026
CVE-2026-56270HIGH8.7
  • Flowise logoFlowise
  • flowise
NoJun 24, 2026
CVE-2025-71332HIGH8.5
  • Flowise logoFlowise
  • flowise
NoNoJun 24, 2026
CVE-2026-56272MEDIUM5.6
  • Flowise logoFlowise
  • flowise
NoJun 24, 2026
CVE-2026-56269MEDIUM4.3
  • Flowise logoFlowise
  • flowise
NoJun 24, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades