
PEACH
Un cadre d’isolation des locataires
CVE-2026-56278 is an authentication bypass vulnerability in Flowise, an open-source LLM orchestration platform, caused by a weak hardcoded default session secret. Flowise versions 3.0.13 and earlier use the string 'flowise' as the default secret for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not configured (packages/server/src/enterprise/middleware/passport/index.ts). Because this default is publicly visible in the source code, any attacker can forge valid signed session cookies to impersonate any user and bypass authentication entirely. The vulnerability was published on June 30, 2026, and patched in version 3.1.0. It carries a CVSS v3.1 base score of 9.1 (Critical) and a CVSS v4.0 base score of 9.3 (Critical) (GitHub Advisory, FlowiseAI Advisory).
The root cause is classified as CWE-798 (Use of Hard-coded Credentials). The vulnerable code in packages/server/src/enterprise/middleware/passport/index.ts (line 55) reads: secret: process.env.EXPRESS_SESSION_SECRET || 'flowise', meaning any deployment that does not explicitly set the environment variable falls back to the publicly known default. An unauthenticated remote attacker can exploit this by using the known secret 'flowise' to sign arbitrary session cookie payloads using the same HMAC algorithm employed by express-session, effectively forging a valid authenticated session for any user account — including administrators — without needing credentials. The .env.example file treats EXPRESS_SESSION_SECRET as optional (commented out), compounding the risk by implying the default is acceptable for production use (FlowiseAI Advisory, GitHub Advisory).
Successful exploitation grants an unauthenticated attacker full authenticated access to the Flowise application, with the ability to impersonate any user — including administrators. This results in high confidentiality impact (access to all data, API keys, LLM configurations, and connected integrations) and high integrity impact (ability to modify workflows, inject malicious AI pipeline logic, or exfiltrate sensitive data). Availability is not directly impacted, but the ability to manipulate AI workflows and connected backend systems could have significant downstream consequences in production environments (GitHub Advisory, FlowiseAI Advisory).
EXPRESS_SESSION_SECRET set to a custom value — this can be inferred if the instance is running an unpatched version without explicit hardening documentation.'flowise', craft a valid express-session signed cookie. This can be done with Node.js using the cookie-signature library: var sig = require('cookie-signature'); var signed = 's:' + sig.sign(sessionId, 'flowise');connect.sid cookie value in the Cookie header.connect.sid cookies that do not correspond to any server-initiated session in session store logs.Upgrade Flowise to version 3.1.0 or later, which addresses this vulnerability (GitHub Advisory). For deployments that cannot immediately upgrade, set the EXPRESS_SESSION_SECRET environment variable to a cryptographically strong, randomly generated value of at least 256 bits before restarting the service. The application should be configured to fail on startup if this variable is not set. After patching, conduct a security audit to identify any unauthorized access or session forgery that may have occurred during the exposure window (FlowiseAI Advisory).
The vulnerability was discovered via a deep code scan by Kolega.dev and reported through FlowiseAI's security advisory process. VulnCheck independently published an advisory on the issue. No significant public researcher commentary or social media discussion has been identified beyond the initial advisory publications (FlowiseAI Advisory, GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."