Flowise before version 3.0.13 uses bcrypt with only 5 salt rounds, producing 32 iterations, far below the OWASP-recommended minimum of 10 rounds. This vulnerability stems from a weakness in the usage of cryptographic hash functions that results in insufficient salting rounds (CWE-916). The reduced computational cost allows modern GPU hardware to crack password hashes roughly thirty times faster than with a more secure configuration. If an attacker obtains a database containing these hashes, each account could potentially be compromised more quickly, leading to widespread access loss.

All Flowise installations running a version earlier than 3.0.13 are affected. The vendor, Flowise, does not currently provide a separate release that changes the default salt rounds until the 3.0.13 update. Users of earlier versions should verify the current bcrypt round setting and ensure their deployment is in this range.

The CVSS score of 5.6 classifies the vulnerability as moderate. Although the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, the reduced hashing strength increases the risk of a password cracking attack in the event of a database compromise. The likely attack vector is inferred to be an attacker who has obtained the database or exfiltrated hashed passwords; from there, they can accelerate cracking with GPU resources. Mitigation becomes critical when user accounts are valuable or when the database is considered a high-value target.