SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-56278 2026-06-30

CVE-2026-56278: Hardcoded Default Session Secret in Flowise Enables Authentication Bypass

"A critical flaw in Flowise before version 3.1.0 lets unauthenticated attackers forge session cookies and impersonate any user because the application ships with a publicly known default session secret."

Here is the article.

CVE-2026-56278: Hardcoded Default Session Secret in Flowise Enables Authentication Bypass

A critical flaw in Flowise before version 3.1.0 lets unauthenticated attackers forge session cookies and impersonate any user because the application ships with a publicly known default session secret.

What Is It

CVE-2026-56278 is a use of hardcoded credentials (CWE-798) in Flowise, the low-code LLM application builder. When the EXPRESS_SESSION_SECRET environment variable is not set, the express-session middleware falls back to a weak hardcoded default secret, the literal string flowise, defined in packages/server/src/enterprise/middleware/passport/index.ts. Because this secret is visible in the project's public source code, an attacker can use it to forge valid signed session cookies, impersonate any user, and bypass authentication entirely.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.1 (CRITICAL), with a CVSS 4.0 score of 9.3. It is remotely exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). A successful attack yields high confidentiality and integrity impact, giving an attacker the ability to authenticate as any user of an affected instance without valid credentials.

What's Vulnerable

Flowise (npm package flowise) versions 3.0.13 and earlier, all releases before 3.1.0, are affected. Instances are exposed when the EXPRESS_SESSION_SECRET environment variable has not been explicitly set, causing the middleware to use the hardcoded default.

Patch Status

The issue is fixed in Flowise 3.1.0, which is not affected. Users should upgrade to version 3.1.0 or later; operators who cannot immediately upgrade should ensure a strong, unique EXPRESS_SESSION_SECRET is configured rather than relying on the default. There is no CISA KEV entry for this CVE in the supplied data, so active exploitation is not confirmed at this time.

Sources