COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-56271

CVE-2026-56271

Severity
critical
Source
NVD · cve
Published
2026-07-12
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-56271
shame 85/100 default-credsauth-bypassnegligence

Flowise defaults to publicly known JWT secrets when environment variables are missing, enabling authentication bypass and impersonation of administrators.

This critical flaw allows attackers to forge valid JWTs and impersonate any user, including admins, by exploiting hardcoded defaults when configuration is omitted. For DIB orgs, this creates a high-risk authentication bypass that bypasses standard compliance controls if the vendor's default configuration is used in production. Immediate patching and enforcing environment variable configuration are required to mitigate exposure.

Shame score — Hardcoded secrets that silently fall back to public defaults when environment variables are missing is a negligent design pattern that enables immediate authentication bypass.

Description

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.