CVE-2026-56271
Received Received - Intake

Hardcoded JWT Secrets in Flowise Authentication Bypass

Vulnerability report for CVE-2026-56271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass and potential unauthorized access to sensitive data.

Such unauthorized access and authentication bypass can lead to violations of data protection and privacy requirements mandated by common standards and regulations like GDPR and HIPAA, which require strong access controls and protection of personal and sensitive information.

Therefore, the presence of weak default JWT secrets and the resulting authentication bypass could compromise compliance with these regulations by exposing sensitive data to unauthorized parties.

Executive Summary

CVE-2026-56271 is a vulnerability in Flowise versions 3.0.13 and earlier where the application uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in its authentication middleware.

If the environment variables for these secrets are not set, the application silently falls back to these publicly known weak defaults. This allows an attacker to forge valid JSON Web Tokens (JWTs) and impersonate any user, including administrators.

The vulnerability arises because the application does not enforce explicit, strong secret configurations and even shares the same weak secret for both auth and refresh tokens if only one is configured, leading to authentication bypass.

Impact Analysis

This vulnerability can allow attackers to bypass authentication entirely by forging valid JWTs.

Attackers can impersonate any user, including administrators, gaining unauthorized access to protected endpoints.

This can lead to privilege escalation, unauthorized data access, and compromise of confidentiality and integrity of the system.

Detection Guidance

This vulnerability can be detected by checking if the Flowise application is running a version 3.0.13 or earlier and if the environment variables for JWT secrets (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are unset or set to the default weak values.

You can inspect the environment variables on the system where Flowise is deployed to verify if the JWT secrets are configured properly.

  • Run a command to check environment variables, for example on Linux: `printenv | grep JWT` or `env | grep JWT`.
  • Check the Flowise version by running: `flowise --version` or inspecting the installed package version.
  • Review the configuration files or .env files for presence of default weak JWT secrets such as 'auth_token', 'refresh_token', 'AUDIENCE', or 'ISSUER'.
Mitigation Strategies

Immediate mitigation steps include removing all default hardcoded JWT secrets and explicitly configuring strong, unique secrets for JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables.

Ensure that the application does not run with insecure defaults by implementing startup validation to check for proper secret configuration.

Rotate existing secrets to prevent attackers from using previously forged tokens.

Upgrade Flowise to a version later than 3.1.0 where this vulnerability is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart