CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-56271 — Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded ...

·Source: NIST NVD

Updated:

Executive Summary

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SEC

Analysis

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass. CVSS Score: 9.8. Published: 2026-07-12T12:16:45.290.

Indicators of Compromise (1)

CVE (1)
CVE-2026-56271
Source Attribution

Originally published by NIST NVD on Jul 12, 2026. Verified by: NIST.

Related Threats