CVE-2026-56278
Flowise Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-56278 is an authentication bypass vulnerability in Flowise, an open-source LLM orchestration platform, caused by a weak hardcoded default session secret. Flowise versions 3.0.13 and earlier use the string 'flowise' as the default secret for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not configured (packages/server/src/enterprise/middleware/passport/index.ts). Because this default is publicly visible in the source code, any attacker can forge valid signed session cookies to impersonate any user and bypass authentication entirely. The vulnerability was published on June 30, 2026, and patched in version 3.1.0. It carries a CVSS v3.1 base score of 9.1 (Critical) and a CVSS v4.0 base score of 9.3 (Critical) (GitHub Advisory, FlowiseAI Advisory).

Técnicas

The root cause is classified as CWE-798 (Use of Hard-coded Credentials). The vulnerable code in packages/server/src/enterprise/middleware/passport/index.ts (line 55) reads: secret: process.env.EXPRESS_SESSION_SECRET || 'flowise', meaning any deployment that does not explicitly set the environment variable falls back to the publicly known default. An unauthenticated remote attacker can exploit this by using the known secret 'flowise' to sign arbitrary session cookie payloads using the same HMAC algorithm employed by express-session, effectively forging a valid authenticated session for any user account — including administrators — without needing credentials. The .env.example file treats EXPRESS_SESSION_SECRET as optional (commented out), compounding the risk by implying the default is acceptable for production use (FlowiseAI Advisory, GitHub Advisory).

Impacto

Successful exploitation grants an unauthenticated attacker full authenticated access to the Flowise application, with the ability to impersonate any user — including administrators. This results in high confidentiality impact (access to all data, API keys, LLM configurations, and connected integrations) and high integrity impact (ability to modify workflows, inject malicious AI pipeline logic, or exfiltrate sensitive data). Availability is not directly impacted, but the ability to manipulate AI workflows and connected backend systems could have significant downstream consequences in production environments (GitHub Advisory, FlowiseAI Advisory).

Pasos de explotación

  1. Reconnaissance: Identify internet-facing Flowise instances (versions ≤ 3.0.13) using search engines like Shodan or Censys, or by checking the Flowise version endpoint if exposed.
  2. Confirm vulnerability: Verify that the target instance does not have EXPRESS_SESSION_SECRET set to a custom value — this can be inferred if the instance is running an unpatched version without explicit hardening documentation.
  3. Forge session cookie: Using the known default secret 'flowise', craft a valid express-session signed cookie. This can be done with Node.js using the cookie-signature library: var sig = require('cookie-signature'); var signed = 's:' + sig.sign(sessionId, 'flowise');
  4. Identify target user: Optionally enumerate user accounts or target the administrator account directly by crafting a session payload referencing a known or guessed user ID.
  5. Submit forged cookie: Send an HTTP request to the Flowise application with the forged connect.sid cookie value in the Cookie header.
  6. Achieve authenticated access: The server validates the cookie signature using the hardcoded secret, accepts the session as legitimate, and grants full authenticated access as the impersonated user — including administrative functions (FlowiseAI Advisory, GitHub Advisory).

Indicadores de compromiso

  • Network: Unexpected authenticated API requests from IP addresses with no prior login activity; requests with connect.sid cookies that do not correspond to any server-initiated session in session store logs.
  • Logs: Authentication success events in application logs for sessions that were never established through the normal login flow; absence of corresponding login request preceding authenticated activity from the same IP.
  • Application Behavior: Unauthorized modifications to Flowise workflows, chatflows, or API keys; creation of new user accounts or changes to existing account privileges without corresponding admin activity.
  • Session Store: Session records with unusual or malformed user ID values, or sessions created without a preceding authentication event (FlowiseAI Advisory).

Mitigación y soluciones alternativas

Upgrade Flowise to version 3.1.0 or later, which addresses this vulnerability (GitHub Advisory). For deployments that cannot immediately upgrade, set the EXPRESS_SESSION_SECRET environment variable to a cryptographically strong, randomly generated value of at least 256 bits before restarting the service. The application should be configured to fail on startup if this variable is not set. After patching, conduct a security audit to identify any unauthorized access or session forgery that may have occurred during the exposure window (FlowiseAI Advisory).

Reacciones de la comunidad

The vulnerability was discovered via a deep code scan by Kolega.dev and reported through FlowiseAI's security advisory process. VulnCheck independently published an advisory on the issue. No significant public researcher commentary or social media discussion has been identified beyond the initial advisory publications (FlowiseAI Advisory, GitHub Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Flowise Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-56278CRITICAL9.3
  • Flowise logoFlowise
  • flowise
NoJun 30, 2026
CVE-2026-56270HIGH8.7
  • Flowise logoFlowise
  • flowise
NoJun 24, 2026
CVE-2025-71332HIGH8.5
  • Flowise logoFlowise
  • flowise
NoNoJun 24, 2026
CVE-2026-56272MEDIUM5.6
  • Flowise logoFlowise
  • flowise
NoJun 24, 2026
CVE-2026-56269MEDIUM4.3
  • Flowise logoFlowise
  • flowise
NoJun 24, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades