Description
Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs. Because the JWT signature is validated separately, decrypting or tampering with this metadata does not by itself grant access, but the disclosure of internal identifiers and possible metadata manipulation could aid privilege escalation or unauthorized data access.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise versions 3.0.13 and earlier use a hardcoded secret, "Secre$t", to derive the AES‑256‑CBC key for encrypting user and workspace identifiers inside the JWT token ’meta’ field. Because the JWT signature is verified separately, manipulating or decrypting this field does not immediately grant authentication, but it reveals internal identifiers that could be used for privilege escalation or unauthorized data access. The weakness is classified as CWE‑798: Use of Hard‑coded Cryptographic Key.

Affected Systems

The affected product is Flowise (Flowise Flowise) for npm package flowise. All releases prior to 3.1.0, specifically version 3.0.13 and earlier, contain the weak default TOKEN_HASH_SECRET. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV, suggesting limited public exploitation. The likely attack vector involves any environment where the default secret is used; an attacker who can access the JWT token or trigger the token generation process can decrypt or tamper with the meta field due to the predictable key. Since the secret is hardcoded, the condition is present by default unless the operator explicitly sets a secure TOKEN_HASH_SECRET. Because the vulnerability does not provide direct authentication bypass, the impact requires additional exploit steps such as secondary privilege escalation or data exfiltration, but it can aid attackers in identifying valuable internal identifiers.

Generated by OpenCVE AI on June 24, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.0 or later, which removes the hardcoded secret
  • Set a strong, unique value for the TOKEN_HASH_SECRET environment variable to replace the default key
  • Restrict exposure of JWT tokens and monitor for abnormal access patterns or identifier disclosure

Generated by OpenCVE AI on June 24, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m7mq-85xj-9x33 Flowise: Weak Default Token Hash Secret
History

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs. Because the JWT signature is validated separately, decrypting or tampering with this metadata does not by itself grant access, but the disclosure of internal identifiers and possible metadata manipulation could aid privilege escalation or unauthorized data access.
Title Flowise - Weak Default Token Hash Secret in JWT Token Encryption
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-798
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 4.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T14:58:19.578Z

Reserved: 2026-06-20T01:47:54.000Z

Link: CVE-2026-56269

cve-icon Vulnrichment

Updated: 2026-06-24T14:58:13.786Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:00:09Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials