All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56278
CRITICALpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 16:16 UTC
9.3
CVSS / 10
// description
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
// weaknesses (CWE)
- CWE-798