Executive Summary

CVE-2026-56272 is a vulnerability in Flowise versions before 3.0.13 where the bcrypt password hashing uses a default salt round of 5, which corresponds to only 32 iterations. This is significantly below the OWASP-recommended minimum of 10 rounds (1024 iterations).

Because of this insufficient number of hashing rounds, attackers can use modern GPU hardware to crack password hashes approximately 30 times faster than intended, making it easier to compromise user accounts if a database breach occurs.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Flowise before version 3.0.13, which uses insufficient bcrypt salt rounds, weakens password hashing and allows attackers to crack password hashes approximately 30 times faster. This significantly increases the risk of user account compromise in the event of a database breach.

Such a weakness in password protection can impact compliance with common security standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive data. Failure to properly secure user credentials may lead to violations of these regulations due to inadequate data protection measures.

Therefore, this vulnerability could result in non-compliance with these standards, exposing organizations to legal and financial penalties if user data is compromised.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a significant reduction in the time and effort required for attackers to crack password hashes stored in a compromised Flowise database.

• Attackers can crack passwords about 30 times faster using modern GPU hardware.
• All user accounts in the database could be compromised if attackers gain access to the hashed passwords.
• The weak hashing also affects password reset functionality, increasing the risk of account takeover.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the bcrypt salt rounds configuration used by the Flowise application. Specifically, check if the bcrypt salt rounds are set to the default value of 5, which is insufficient and vulnerable.

You can verify the bcrypt salt rounds setting by examining the application configuration or source code for the parameter `PASSWORD_SALT_HASH_ROUNDS` or equivalent.

Example commands to detect the vulnerable setting might include:

• Searching configuration files or environment variables for the salt rounds value, e.g., `grep -r PASSWORD_SALT_HASH_ROUNDS /path/to/flowise/config`
• Checking the source code for bcrypt initialization parameters, e.g., `grep -r bcrypt /path/to/flowise/source` and looking for the salt rounds value.
• If you have access to the running application environment, you might also inspect runtime environment variables or logs that indicate the bcrypt configuration.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.13 or later, where the bcrypt salt rounds default has been increased to meet OWASP recommendations.

If upgrading is not immediately possible, manually increase the bcrypt salt rounds configuration (`PASSWORD_SALT_HASH_ROUNDS`) to at least 10 rounds, with 12 rounds recommended for a better balance between security and performance.

Note that existing password hashes generated with 5 rounds remain vulnerable even after increasing the rounds, so consider forcing users to reset their passwords to rehash them with the stronger setting.

Useful 0 Not Useful 0