
PEACH
Un cadre d’isolation des locataires
CVE-2026-56272 is a weak password hashing vulnerability in FlowiseAI's Flowise, an open-source low-code AI workflow builder. The flaw stems from the use of bcrypt with a default salt round value of 5, providing only 32 iterations — far below the OWASP-recommended minimum of 10 rounds (1,024 iterations). All Flowise versions before 3.0.13 are affected. It was published on June 24, 2026, with a patch released in version 3.0.13. The vulnerability carries a CVSS v3.1 base score of 4.1 (Medium) and a CVSS v4.0 base score of 5.6 (Medium) (GitHub Advisory, Feedly).
The root cause is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort). The vulnerable code resides in packages/server/src/enterprise/utils/encryption.util.ts (lines 5–7), where the getHash() function calls bcrypt.genSaltSync() with a default value of 5 if the PASSWORD_SALT_HASH_ROUNDS environment variable is not explicitly set. The same weak default is also used in the resetPassword function in account.service.ts:568. With 5 salt rounds, modern GPUs can compute approximately 300,000 bcrypt hashes per second compared to ~10,000 hashes/second at 10 rounds — a roughly 30x speed advantage for an attacker performing offline cracking after obtaining the database (GitHub Advisory).
In a database breach scenario, an attacker who obtains the Flowise user database can crack password hashes approximately 30 times faster than would be possible with properly configured bcrypt, potentially compromising all user accounts. The impact is limited to confidentiality (no integrity or availability impact), and exploitation requires prior access to the database — either through a separate breach or unauthorized database access. Cracked credentials could then be used for account takeover, unauthorized access to AI workflows, and potential lateral movement if users reuse passwords across systems (GitHub Advisory, Feedly).
$2b$05$ prefix in the hash string).-m 3200 for bcrypt) or John the Ripper.$2b$05$ in the Flowise user table, indicating hashes generated with only 5 salt rounds.PASSWORD_SALT_HASH_ROUNDS environment variable in the Flowise deployment configuration, confirming the insecure default of 5 rounds is in use.Upgrade Flowise to version 3.0.13 or later, which addresses the insecure default by increasing the bcrypt salt rounds. For deployments that cannot immediately upgrade, set the PASSWORD_SALT_HASH_ROUNDS environment variable to at least 10 (OWASP minimum) or 12 (recommended for better security-performance balance). Note that existing password hashes generated at 5 rounds remain vulnerable even after increasing the environment variable — users should be prompted to reset their passwords to force re-hashing with the new configuration. Additionally, implement account lockout policies, rate limiting on authentication endpoints, and restrict database access to minimize exposure in breach scenarios (GitHub Advisory, Feedly).
The vulnerability was discovered via a Kolega.dev Deep Code Scan and reported by the kolega-ai-dev team, with faizan@kolega.ai credited as the reporter. The GitHub Security Advisory was published by igor-magun-wd on March 5, 2026, and assigned a Moderate severity rating. No significant broader media coverage or notable social media commentary has been identified beyond standard vulnerability database aggregation (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."