CVE-2026-56278
Flowise Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-56278 is an authentication bypass vulnerability in Flowise, an open-source LLM orchestration platform, caused by a weak hardcoded default session secret. Flowise versions 3.0.13 and earlier use the string 'flowise' as the default secret for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not configured (packages/server/src/enterprise/middleware/passport/index.ts). Because this default is publicly visible in the source code, any attacker can forge valid signed session cookies to impersonate any user and bypass authentication entirely. The vulnerability was published on June 30, 2026, and patched in version 3.1.0. It carries a CVSS v3.1 base score of 9.1 (Critical) and a CVSS v4.0 base score of 9.3 (Critical) (GitHub Advisory, FlowiseAI Advisory).

Détails techniques

The root cause is classified as CWE-798 (Use of Hard-coded Credentials). The vulnerable code in packages/server/src/enterprise/middleware/passport/index.ts (line 55) reads: secret: process.env.EXPRESS_SESSION_SECRET || 'flowise', meaning any deployment that does not explicitly set the environment variable falls back to the publicly known default. An unauthenticated remote attacker can exploit this by using the known secret 'flowise' to sign arbitrary session cookie payloads using the same HMAC algorithm employed by express-session, effectively forging a valid authenticated session for any user account — including administrators — without needing credentials. The .env.example file treats EXPRESS_SESSION_SECRET as optional (commented out), compounding the risk by implying the default is acceptable for production use (FlowiseAI Advisory, GitHub Advisory).

Impact

Successful exploitation grants an unauthenticated attacker full authenticated access to the Flowise application, with the ability to impersonate any user — including administrators. This results in high confidentiality impact (access to all data, API keys, LLM configurations, and connected integrations) and high integrity impact (ability to modify workflows, inject malicious AI pipeline logic, or exfiltrate sensitive data). Availability is not directly impacted, but the ability to manipulate AI workflows and connected backend systems could have significant downstream consequences in production environments (GitHub Advisory, FlowiseAI Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing Flowise instances (versions ≤ 3.0.13) using search engines like Shodan or Censys, or by checking the Flowise version endpoint if exposed.
  2. Confirm vulnerability: Verify that the target instance does not have EXPRESS_SESSION_SECRET set to a custom value — this can be inferred if the instance is running an unpatched version without explicit hardening documentation.
  3. Forge session cookie: Using the known default secret 'flowise', craft a valid express-session signed cookie. This can be done with Node.js using the cookie-signature library: var sig = require('cookie-signature'); var signed = 's:' + sig.sign(sessionId, 'flowise');
  4. Identify target user: Optionally enumerate user accounts or target the administrator account directly by crafting a session payload referencing a known or guessed user ID.
  5. Submit forged cookie: Send an HTTP request to the Flowise application with the forged connect.sid cookie value in the Cookie header.
  6. Achieve authenticated access: The server validates the cookie signature using the hardcoded secret, accepts the session as legitimate, and grants full authenticated access as the impersonated user — including administrative functions (FlowiseAI Advisory, GitHub Advisory).

Indicateurs de compromis

  • Network: Unexpected authenticated API requests from IP addresses with no prior login activity; requests with connect.sid cookies that do not correspond to any server-initiated session in session store logs.
  • Logs: Authentication success events in application logs for sessions that were never established through the normal login flow; absence of corresponding login request preceding authenticated activity from the same IP.
  • Application Behavior: Unauthorized modifications to Flowise workflows, chatflows, or API keys; creation of new user accounts or changes to existing account privileges without corresponding admin activity.
  • Session Store: Session records with unusual or malformed user ID values, or sessions created without a preceding authentication event (FlowiseAI Advisory).

Atténuation et solutions de contournement

Upgrade Flowise to version 3.1.0 or later, which addresses this vulnerability (GitHub Advisory). For deployments that cannot immediately upgrade, set the EXPRESS_SESSION_SECRET environment variable to a cryptographically strong, randomly generated value of at least 256 bits before restarting the service. The application should be configured to fail on startup if this variable is not set. After patching, conduct a security audit to identify any unauthorized access or session forgery that may have occurred during the exposure window (FlowiseAI Advisory).

Réactions de la communauté

The vulnerability was discovered via a deep code scan by Kolega.dev and reported through FlowiseAI's security advisory process. VulnCheck independently published an advisory on the issue. No significant public researcher commentary or social media discussion has been identified beyond the initial advisory publications (FlowiseAI Advisory, GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Flowise Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-56278CRITICAL9.3
  • Flowise logoFlowise
  • flowise
NonOuiJun 30, 2026
CVE-2026-56270HIGH8.7
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026
CVE-2025-71332HIGH8.5
  • Flowise logoFlowise
  • flowise
NonNonJun 24, 2026
CVE-2026-56272MEDIUM5.6
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026
CVE-2026-56269MEDIUM4.3
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités