Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56278

CVE-2026-56278: Flowise Auth Bypass Vulnerability

CVE-2026-56278 is an authentication bypass flaw in Flowise that exploits a hardcoded session secret, allowing attackers to forge cookies and impersonate users. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-56278 Overview

CVE-2026-56278 is an authentication bypass vulnerability in Flowise versions 3.0.13 and earlier. The application ships with a weak hardcoded default secret (flowise) for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not configured. The vulnerable logic lives in packages/server/src/enterprise/middleware/passport/index.ts. Because the default secret is publicly visible in the open-source repository, attackers can forge valid signed session cookies and impersonate any user, including administrators. The issue is tracked under CWE-798: Use of Hard-coded Credentials and was fixed in Flowise 3.1.0.

Critical Impact

Unauthenticated remote attackers can forge session cookies to impersonate arbitrary users and gain full application access on Flowise instances deployed with the default configuration.

Affected Products

  • Flowise versions 3.0.13 and earlier
  • Deployments where EXPRESS_SESSION_SECRET is unset
  • Enterprise passport middleware component in packages/server/src/enterprise/middleware/passport/index.ts

Discovery Timeline

  • 2026-06-30 - CVE-2026-56278 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-56278

Vulnerability Analysis

Flowise is a low-code platform for building LLM applications. Its Express.js server uses express-session to manage authenticated sessions. Session cookies are signed with a secret key using HMAC to prevent tampering. When the runtime cannot find an EXPRESS_SESSION_SECRET environment variable, the application silently falls back to the string flowise as the signing key.

Because this fallback value is checked into the public source tree, any attacker can retrieve it. The attacker can then generate a session identifier, sign it with the known secret, and present the forged cookie to the server. The server validates the signature successfully and treats the request as an authenticated session belonging to whichever user identifier the attacker embeds.

This grants full application access, including access to enterprise features, connected LLM credentials, and any data managed through the platform.

Root Cause

The root cause is CWE-798: Use of Hard-coded Credentials. The middleware initialization defaults secret to a static string when the environment variable is missing rather than failing closed or generating a per-instance random value. Deployments that follow the default docker run or npm start instructions without setting EXPRESS_SESSION_SECRET inherit the shared, publicly known secret.

Attack Vector

The attack is remote, unauthenticated, and requires no user interaction. An attacker locates a Flowise instance exposed to the network, crafts an HMAC-SHA256 signed session cookie using the flowise secret, and submits it in the Cookie header. The server accepts the forged cookie and authenticates the attacker as the specified user. See the VulnCheck Advisory on Flowise session hijacking and the GitHub Security Advisory GHSA-2qqc-p94c-hxwh for additional technical detail.

Detection Methods for CVE-2026-56278

Indicators of Compromise

  • Session cookies (connect.sid) signed with the flowise secret appearing from unexpected source IPs
  • Authentication events lacking a preceding login request in access logs
  • Sudden administrative actions from user accounts that have not recently authenticated
  • Outbound traffic from the Flowise host to unfamiliar destinations after suspicious session activity

Detection Strategies

  • Inspect Flowise deployments for a missing or unset EXPRESS_SESSION_SECRET environment variable
  • Correlate HTTP access logs to identify requests carrying valid session cookies without corresponding /login or /auth calls
  • Verify the installed Flowise version and flag any instance at or below 3.0.13
  • Monitor for unauthorized creation, modification, or export of chatflows and credentials

Monitoring Recommendations

  • Forward Flowise application logs and reverse proxy logs to a centralized logging pipeline for retention and analysis
  • Alert on repeated set-cookie mismatches or session IDs that fail to map to a known authentication event
  • Track container or process environment variables at deployment time to confirm secrets are configured

How to Mitigate CVE-2026-56278

Immediate Actions Required

  • Upgrade Flowise to version 3.1.0 or later
  • Set a strong, randomly generated EXPRESS_SESSION_SECRET environment variable before restarting the service
  • Invalidate all existing sessions and force reauthentication for every user
  • Rotate any API keys, LLM provider credentials, and integration secrets stored inside Flowise

Patch Information

The maintainers fixed CVE-2026-56278 in Flowise 3.1.0. Refer to the GitHub Security Advisory GHSA-2qqc-p94c-hxwh for the official patch notes and remediation guidance.

Workarounds

  • Configure EXPRESS_SESSION_SECRET to a cryptographically random value of at least 32 bytes before restart
  • Restrict network exposure of Flowise to trusted networks or place it behind an authenticating reverse proxy
  • Enforce IP allowlisting on the reverse proxy for administrative access until the patched version is deployed
bash
# Configuration example: generate and set a strong session secret
export EXPRESS_SESSION_SECRET="$(openssl rand -hex 32)"

# Persist in the container environment (docker-compose example)
# environment:
#   - EXPRESS_SESSION_SECRET=${EXPRESS_SESSION_SECRET}

# Restart Flowise to apply the new secret
npm start

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.