CVE-2026-56278 – Flowise

CVSS 9.1 CRITICAL Critical or Zero Day – Immediate Deployment

“A hardcoded secret can turn authentication into an open door.”

Flowise addressed a critical authentication vulnerability caused by the use of a weak hardcoded default secret for the Express session middleware when the EXPRESS_SESSION_SECRET environment variable is not configured. In affected versions (3.0.13 and earlier), the publicly known default secret could allow an attacker to forge valid session cookies, impersonate legitimate users, and bypass authentication. CVE-2026-56278 has a CVSS score of 9.1, which is Critical severity.

The issue affects Flowise versions prior to 3.1.0. Verified exploitation has not been reported. Updating to Flowise 3.1.0 or later and configuring a strong, unique session secret removes the exposure and restores the integrity of session-based authentication.

Key Details

Affected Product
Flowiseai Flowise
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-798
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.