CVE-2026-56278 – Flowise
“A hardcoded secret can turn authentication into an open door.”
Flowise addressed a critical authentication vulnerability caused by the use of a weak hardcoded default secret for the Express session middleware when the EXPRESS_SESSION_SECRET environment variable is not configured. In affected versions (3.0.13 and earlier), the publicly known default secret could allow an attacker to forge valid session cookies, impersonate legitimate users, and bypass authentication. CVE-2026-56278 has a CVSS score of 9.1, which is Critical severity.
The issue affects Flowise versions prior to 3.1.0. Verified exploitation has not been reported. Updating to Flowise 3.1.0 or later and configuring a strong, unique session secret removes the exposure and restores the integrity of session-based authentication.
Key Details
- Affected Product
- Flowiseai Flowise
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-798