GHSA-jpvq-qwhh-pw47
Flowise versions 3.0.13 and earlier use weak hardcoded default JWT secrets and default audience and issuer values in their enterprise passport authentication middleware. If the environment variables for these JWT parameters are not set, the application falls back to publicly known default values, enabling attackers to forge valid JWTs and impersonate any user, including administrators, leading to authentication bypass.
AI Analysis
Technical Summary
Flowise before version 3.1.0 (specifically 3.0.13 and earlier) contains a vulnerability where weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') are used in the enterprise passport authentication middleware. When environment variables JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER are not configured, the system silently defaults to these known weak values. This allows an attacker to forge valid JWT tokens, bypass authentication, and impersonate any user, including administrators. The vulnerability is classified under CWE-321 (Use of Hard-coded Cryptographic Key). No patch or official fix information is provided in the data.
Potential Impact
An attacker can create forged JWT tokens due to the use of weak, hardcoded default secrets and default audience/issuer values. This enables authentication bypass and full user impersonation, including administrative accounts, compromising the integrity and security of the affected Flowise application.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, ensure that the environment variables JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER are explicitly set to strong, unique values to prevent fallback to weak defaults.
GHSA-jpvq-qwhh-pw47
Description
Flowise versions 3.0.13 and earlier use weak hardcoded default JWT secrets and default audience and issuer values in their enterprise passport authentication middleware. If the environment variables for these JWT parameters are not set, the application falls back to publicly known default values, enabling attackers to forge valid JWTs and impersonate any user, including administrators, leading to authentication bypass.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Flowise before version 3.1.0 (specifically 3.0.13 and earlier) contains a vulnerability where weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') are used in the enterprise passport authentication middleware. When environment variables JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER are not configured, the system silently defaults to these known weak values. This allows an attacker to forge valid JWT tokens, bypass authentication, and impersonate any user, including administrators. The vulnerability is classified under CWE-321 (Use of Hard-coded Cryptographic Key). No patch or official fix information is provided in the data.
Potential Impact
An attacker can create forged JWT tokens due to the use of weak, hardcoded default secrets and default audience/issuer values. This enables authentication bypass and full user impersonation, including administrative accounts, compromising the integrity and security of the affected Flowise application.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, ensure that the environment variables JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER are explicitly set to strong, unique values to prevent fallback to weak defaults.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-jpvq-qwhh-pw47
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-56271"]
- Ecosystems
- []
- Database Specific Severity
- CRITICAL
- Cvss Version
- 4.0
Threat ID: 6a54ae1668715ace438f972f
Added to database: 07/13/2026, 09:21:26 UTC
Last enriched: 07/13/2026, 10:00:44 UTC
Last updated: 07/14/2026, 02:48:51 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.