216.73.216.133

CVE-2026-56278

· Published 01/07/2026 01:17 · Author: The MITRE Corporation

Labels: CVE-2026-56278

Essential information

Published
01/07/2026 01:17
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.1 CRITICAL (v3.1) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CWE-798
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

NVD status

NVD
View on NVD