Description
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication. | |
| Title | Flowise - Session Hijacking via Weak Default Express Session Secret | |
| First Time appeared |
Flowiseai
Flowiseai flowise |
|
| Weaknesses | CWE-798 | |
| CPEs | cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Flowiseai
Flowiseai flowise |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:27.947Z
Reserved: 2026-06-20T01:51:24.919Z
Link: CVE-2026-56278
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-798
Use of Hard-coded Credentials