CVE-2026-56272
Flowise Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-56272 is a weak password hashing vulnerability in FlowiseAI's Flowise, an open-source low-code AI workflow builder. The flaw stems from the use of bcrypt with a default salt round value of 5, providing only 32 iterations — far below the OWASP-recommended minimum of 10 rounds (1,024 iterations). All Flowise versions before 3.0.13 are affected. It was published on June 24, 2026, with a patch released in version 3.0.13. The vulnerability carries a CVSS v3.1 base score of 4.1 (Medium) and a CVSS v4.0 base score of 5.6 (Medium) (GitHub Advisory, Feedly).

Détails techniques

The root cause is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort). The vulnerable code resides in packages/server/src/enterprise/utils/encryption.util.ts (lines 5–7), where the getHash() function calls bcrypt.genSaltSync() with a default value of 5 if the PASSWORD_SALT_HASH_ROUNDS environment variable is not explicitly set. The same weak default is also used in the resetPassword function in account.service.ts:568. With 5 salt rounds, modern GPUs can compute approximately 300,000 bcrypt hashes per second compared to ~10,000 hashes/second at 10 rounds — a roughly 30x speed advantage for an attacker performing offline cracking after obtaining the database (GitHub Advisory).

Impact

In a database breach scenario, an attacker who obtains the Flowise user database can crack password hashes approximately 30 times faster than would be possible with properly configured bcrypt, potentially compromising all user accounts. The impact is limited to confidentiality (no integrity or availability impact), and exploitation requires prior access to the database — either through a separate breach or unauthorized database access. Cracked credentials could then be used for account takeover, unauthorized access to AI workflows, and potential lateral movement if users reuse passwords across systems (GitHub Advisory, Feedly).

Étapes d’exploitation

  1. Obtain database access: Gain unauthorized access to the Flowise database through a separate vulnerability, misconfiguration, or insider threat — this is a prerequisite for exploitation.
  2. Extract password hashes: Query the user table to retrieve bcrypt password hashes stored with 5 salt rounds (identifiable by the $2b$05$ prefix in the hash string).
  3. Configure cracking tool: Load the extracted hashes into a GPU-accelerated password cracking tool such as Hashcat (mode -m 3200 for bcrypt) or John the Ripper.
  4. Execute offline brute-force/dictionary attack: Run the cracking tool against the hashes using wordlists (e.g., rockyou.txt) or rule-based mutations. The 5-round bcrypt configuration allows ~300,000 hashes/second on modern GPUs, enabling significantly faster cracking than properly configured instances.
  5. Use cracked credentials: Authenticate to the Flowise application or other services where users may have reused passwords, gaining unauthorized access to AI workflows, API keys, and connected integrations (GitHub Advisory).

Indicateurs de compromis

  • Database: Presence of bcrypt password hashes with the prefix $2b$05$ in the Flowise user table, indicating hashes generated with only 5 salt rounds.
  • Logs: Unusual or repeated authentication attempts against the Flowise application following a suspected database exposure event; login activity from unexpected IP addresses or geographic locations.
  • Configuration: Absence of the PASSWORD_SALT_HASH_ROUNDS environment variable in the Flowise deployment configuration, confirming the insecure default of 5 rounds is in use.
  • File System: Unexpected database dump files or export artifacts in the Flowise server environment that may indicate unauthorized data exfiltration (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade Flowise to version 3.0.13 or later, which addresses the insecure default by increasing the bcrypt salt rounds. For deployments that cannot immediately upgrade, set the PASSWORD_SALT_HASH_ROUNDS environment variable to at least 10 (OWASP minimum) or 12 (recommended for better security-performance balance). Note that existing password hashes generated at 5 rounds remain vulnerable even after increasing the environment variable — users should be prompted to reset their passwords to force re-hashing with the new configuration. Additionally, implement account lockout policies, rate limiting on authentication endpoints, and restrict database access to minimize exposure in breach scenarios (GitHub Advisory, Feedly).

Réactions de la communauté

The vulnerability was discovered via a Kolega.dev Deep Code Scan and reported by the kolega-ai-dev team, with faizan@kolega.ai credited as the reporter. The GitHub Security Advisory was published by igor-magun-wd on March 5, 2026, and assigned a Moderate severity rating. No significant broader media coverage or notable social media commentary has been identified beyond standard vulnerability database aggregation (GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Flowise Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-56278CRITICAL9.3
  • Flowise logoFlowise
  • flowise
NonOuiJun 30, 2026
CVE-2026-56270HIGH8.7
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026
CVE-2025-71332HIGH8.5
  • Flowise logoFlowise
  • flowise
NonNonJun 24, 2026
CVE-2026-56272MEDIUM5.6
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026
CVE-2026-56269MEDIUM4.3
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités