Jul 17, 2026·6 min read·6 visits
Flowise enterprise passport middleware silently falls back to hardcoded default JWT signing secrets and identifiers when configuration environment variables are left unset, enabling remote unauthenticated attackers to forge arbitrary tokens and take over administrator accounts.
CVE-2026-56271 represents a critical security flaw in Flowise, an open-source visual orchestration platform for Large Language Models (LLMs) and autonomous AI agents. The vulnerability occurs within the platform's enterprise passport authentication module, where default cryptographic parameters are used in the absence of explicit environment variables. Specifically, the middleware silently falls back to known, static hardcoded secrets ('auth_token' and 'refresh_token') and identifiers ('AUDIENCE' and 'ISSUER') to generate and verify session tokens. Consequently, remote unauthenticated attackers can construct arbitrary JSON Web Tokens (JWTs) signed with these hardcoded credentials to gain administrative entry to the application.
Flowise is a visual builder for developing applications utilizing Large Language Models (LLMs) and AI agents. It features an enterprise authentication subsystem implemented via Passport.js middleware to manage secure sessions and restrict API access to authenticated users.
The vulnerability, designated as CVE-2026-56271, resides in the server module's configuration parsing logic. When enterprise authentication is enabled, the platform relies on JSON Web Tokens (JWTs) to authenticate requests. However, the system contains fallback logic that automatically defaults to static, hardcoded cryptographic values if the administrator has not configured custom secrets.
This behavior violates fundamental cryptographic principles by exposing critical trust assets. The vulnerability is classified under CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). Unauthenticated attackers can exploit this logic remotely to gain unauthorized access to the application.
The root cause of this vulnerability lies within the initialization sequence of the enterprise passport middleware, located at packages/server/src/enterprise/middleware/passport/index.ts. To authenticate API requests, the server relies on the verification of JWTs supplied in HTTP headers.
During initialization, the application attempts to read several critical configuration parameters from the environment. These include JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER. If these parameters are missing, instead of halting initialization or raising a fatal configuration exception, the middleware proceeds using hardcoded fallbacks.
The default values utilized by the application are 'auth_token' for the authentication token secret, 'refresh_token' for the refresh token secret, 'AUDIENCE' for the expected token audience, and 'ISSUER' for the expected token issuer. Because these strings are publicly available in the open-source repository, any instance of Flowise deployed without these environment variables relies on the exact same static key material to verify session signatures.
The core flaw can be observed in the variable assignment logic where environment configuration is evaluated. If the left-hand operand of the logical OR operator is undefined, the program evaluates the right-hand operand, which contains the static string literal.
// VULNERABLE COMPONENT
// packages/server/src/enterprise/middleware/passport/index.ts
const authSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token';
const refreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || 'refresh_token';
const audience = process.env.JWT_AUDIENCE || 'AUDIENCE';
const issuer = process.env.JWT_ISSUER || 'ISSUER';To remediate this structural flaw, the application must completely eliminate hardcoded secrets from its execution paths. In secure designs, the application either throws a fatal error during bootstrap when required configurations are absent, or dynamically generates unique, high-entropy secrets in memory during startup.
// PATCHED COMPONENT
// Utilizing crypto package to prevent predictable fallback keys
import crypto from 'crypto';
// Generate a high-entropy, ephemeral secret if environment configuration is absent
const dynamicAuthSecret = process.env.JWT_AUTH_TOKEN_SECRET || crypto.randomBytes(32).toString('hex');
const dynamicRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || crypto.randomBytes(32).toString('hex');
// Enforce configuration validation for claims parameters
const audience = process.env.JWT_AUDIENCE;
const issuer = process.env.JWT_ISSUER;
if (!audience || !issuer) {
throw new Error('Initialization failure: JWT_AUDIENCE and JWT_ISSUER must be explicitly declared');
}By implementing dynamic fallback values, any session tokens forged using the static default values will fail validation because the server-side validation key is now unique to the runtime instance and completely unpredictable.
Exploitation of CVE-2026-56271 requires no specialized privileges, user interaction, or advanced cryptographic analysis. The attack complexity is low. An attacker must first confirm that the target instance is running a vulnerable version of Flowise and has not had its default JWT configuration altered.
The attacker then constructs a malicious JWT. The token header is configured with standard hashing algorithms such as HMAC SHA-256 (HS256). The payload is crafted with claims identifying the user as an administrator, accompanied by the standard 'AUDIENCE' and 'ISSUER' claims. Finally, the attacker signs the serialized header and payload using the hardcoded cryptographic key 'auth_token':
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "admin-user-id-or-email",
"role": "admin",
"aud": "AUDIENCE",
"iss": "ISSUER",
"exp": 1924905600
}Once the forged token is generated, the attacker attaches it to the Authorization header of an HTTP request directed at a protected API endpoint (e.g., Authorization: Bearer <forged_token>). The server receives the request, attempts validation using the static secret, and admits the request because the signature matches.
The security impact of successful exploitation is complete administrative compromise of the affected Flowise instance. Because Flowise acts as an orchestrator for Large Language Models and AI agents, it holds sensitive system integration configurations, including API keys for model providers (e.g., OpenAI, Anthropic, Cohere), database connection strings, and vector database credentials.
By bypassing authentication, an attacker gains full access to these secrets. They can modify existing AI pipelines, inject malicious prompts (prompt injection attacks), redirect data streams, or read private chat transcripts stored in the system. If the Flowise instance is configured to execute shell tools or custom Python scripts, an administrative compromise can easily lead to Remote Code Execution (RCE) on the host machine.
The vulnerability is rated as Critical with an NVD CVSS v3.1 score of 9.8. This score reflects the combination of zero-privilege remote access, low exploitation complexity, and extreme impact across confidentiality, integrity, and availability metrics.
The primary remediation path is upgrading the Flowise deployment to version 3.1.0 or later. This version contains changes to how authentication tokens are validated, preventing fallback to known static keys. Developers must ensure that all dependencies, including flowise, flowise-ui, and flowise-components, are updated simultaneously.
If immediate upgrading is unfeasible, administrators must enforce configuration hardening by manually defining high-entropy keys within the environment variables. The configuration requires setting JWT_AUTH_TOKEN_SECRET and JWT_REFRESH_TOKEN_SECRET to randomized strings of at least 32 characters, alongside specific, unique values for JWT_AUDIENCE and JWT_ISSUER.
Deployers must also audit existing configurations. If the application was previously run with default values, any existing sessions must be invalidated immediately. Changing the secrets will automatically expire all active sessions, forcing users to authenticate against the newly defined security parameters.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
flowise FlowiseAI | <= 3.0.13 | 3.1.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-321 / CWE-327 |
| Attack Vector | Network |
| CVSS v3.1 Score | 9.8 (Critical) |
| CVSS v4.0 Score | 9.3 (Critical) |
| EPSS Score | 0.00376 (29.82 percentile) |
| Exploit Status | none |
| CISA KEV Status | Not Listed |
The software uses a hard-coded cryptographic key, which can allow an attacker to bypass authentication, decrypt sensitive data, or perform other cryptographic operations.
CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.
A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.
CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.
ArcadeDB is an open-source, multi-model database engine supporting graph, document, key-value, and vector models. In affected versions of ArcadeDB, the trigger script executor improperly configures GraalVM scripting engine permissions. By allowing the 'java.lang.*' package to be loaded within the scripting context, the sandbox environment can be bypassed. An authenticated user with schema administration privileges ('UPDATE_SCHEMA') can register a malicious script trigger that executes arbitrary Java host classes, leading to unauthenticated remote command execution under the context of the ArcadeDB server process.
A critical improper access control vulnerability (CWE-284) in the WebSocket upgrade endpoint of Le Circuit Électrique charging station backend allows remote, unauthenticated attackers to connect to the Charging Station Management System and impersonate charging stations.
CVE-2026-55040 is a critical security feature bypass vulnerability in Microsoft SharePoint Server arising from a weak authentication mechanism (CWE-1390). An unauthenticated remote attacker can exploit this security flaw over a network to bypass authentication validation routines, gaining unauthorized access to the application and complete control over sensitive enterprise data assets without any user interaction.