CVE-2026-56269
Received Received - Intake
Weak Hardcoded Secret in Flowise Leading to JWT Metadata Exposure

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs. Because the JWT signature is validated separately, decrypting or tampering with this metadata does not by itself grant access, but the disclosure of internal identifiers and possible metadata manipulation could aid privilege escalation or unauthorized data access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56269
EUVD
EUVD-2026-38746
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
flowise flowise to 3.1.0 (exc)
flowiseai flowise to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves the use of a weak hardcoded default secret to encrypt user and workspace identifiers in JWT tokens, which can lead to the disclosure of internal identifiers and potential unauthorized data access.

Such unauthorized disclosure and potential manipulation of user-related data could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and disclosure.

Although the vulnerability does not directly grant access, the exposure of internal identifiers and metadata manipulation could aid privilege escalation, increasing the risk of non-compliance with confidentiality and integrity requirements mandated by these regulations.

Executive Summary

Flowise versions 3.0.13 and earlier use a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable when it is not configured.

This secret is used to derive the AES-256-CBC key that encrypts user IDs and workspace IDs in the 'meta' field of JWT tokens.

An attacker who knows this default secret can decrypt this metadata to extract internal user and workspace identifiers and can re-encrypt manipulated values such as altered user or workspace IDs.

Although decrypting or tampering with this metadata does not by itself grant access because JWT signatures are validated separately, the disclosure of internal identifiers and possible metadata manipulation could help attackers escalate privileges or gain unauthorized data access.

Impact Analysis

The vulnerability allows attackers who know the weak default secret to decrypt sensitive metadata within JWT tokens, revealing internal user and workspace identifiers.

Attackers can also manipulate and re-encrypt this metadata, potentially altering user or workspace IDs.

While this does not directly grant access due to separate JWT signature validation, it can aid attackers in escalating privileges or accessing unauthorized data.

Detection Guidance

This vulnerability arises from the use of a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in Flowise versions 3.0.13 and earlier when the variable is not configured.

To detect this vulnerability on your system, you can check the environment variable TOKEN_HASH_SECRET used by the Flowise server process to see if it is set to the default weak value 'Secre$t' or is unset.

Suggested commands to detect this include:

  • On Linux/Unix systems, check environment variables of the running Flowise process: `ps aux | grep flowise` to find the process, then `cat /proc/<pid>/environ | tr '\0' '\n' | grep TOKEN_HASH_SECRET` to see the value.
  • Alternatively, if you have access to the deployment environment, run `echo $TOKEN_HASH_SECRET` in the shell where Flowise is started.
  • Inspect the configuration files or startup scripts for Flowise to verify if TOKEN_HASH_SECRET is explicitly set or left unset.

Since the vulnerability involves decrypting JWT token metadata, monitoring network traffic for JWT tokens and attempting to decrypt the 'meta' field using the default secret 'Secre$t' could also help confirm the vulnerability, but this requires specialized tooling and knowledge.

Mitigation Strategies

The primary mitigation step is to ensure that the TOKEN_HASH_SECRET environment variable is configured with a strong, random secret value instead of relying on the default hardcoded value 'Secre$t'.

Specifically, you should:

  • Set TOKEN_HASH_SECRET to a strong random value with at least 32 bytes of entropy.
  • Enforce configuration of TOKEN_HASH_SECRET at application startup so that the application refuses to run if the variable is unset or set to the default weak value.
  • Upgrade Flowise to a version later than 3.1.0 where this issue is fixed.

These steps will prevent attackers from decrypting or manipulating JWT token metadata using the known weak secret, reducing the risk of privilege escalation or unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart