Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-56269— Flowise - Weak Default Token Hash Secret in JWT Token Encryption

CVSS 4.6 · Medium EPSS 0.09% · P1

Affected Version Matrix 2

VendorProductVersion RangeStatus
FlowiseFlowise< 3.1.0affected
3.1.0unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-56269

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Flowise - Weak Default Token Hash Secret in JWT Token Encryption
Source: NVD (National Vulnerability Database)
Vulnerability Description
Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs. Because the JWT signature is validated separately, decrypting or tampering with this metadata does not by itself grant access, but the disclosure of internal identifiers and possible metadata manipulation could aid privilege escalation or unauthorized data access.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的凭证
Source: NVD (National Vulnerability Database)
Vulnerability Title
FlowiseAI Flowise 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FlowiseAI Flowise是FlowiseAI公司开源的一个用于轻松构建 LLM 应用程序的工具。 FlowiseAI Flowise 3.1.0之前版本和3.0.13及之前版本存在信任管理问题漏洞,该漏洞源于使用弱硬编码默认值“Secre$t”作为TOKEN_HASH_SECRET环境变量,可能导致获取内部标识符和操作元数据,有助于权限提升或未授权数据访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
FlowiseFlowise 0 ~ 3.1.0 -

II. Public POCs for CVE-2026-56269

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-56269

登录查看更多情报信息。

Vendor Advisories for CVE-2026-56269 (2)

Same Patch Batch · Flowise · 2026-06-24 · 4 CVEs total

CVE-2026-562707.5 HIGHFlowise - Unauthenticated OAuth Secrets Disclosure via /api/v1/loginmethod Endpoint
CVE-2025-713326.5 MEDIUMFlowise - SQL Injection in importChatflows API via chatflow.id Parameter
CVE-2026-562724.1 MEDIUMFlowise - Insufficient Password Salt Rounds in Bcrypt Hashing

IV. Related Vulnerabilities

V. Comments for CVE-2026-56269

No comments yet


Leave a comment