HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56278Published Modified CNA VulnCheck

CVE-2026-56278: Flowise - Session Hijacking via Weak Default Express Session Secret

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
3.1.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Session hijacking via weak hardcoded default secret in Flowise, the open-source LLM workflow builder. Flowise versions 3.0.13 and earlier fall back to the publicly known string 'flowise' as the express-session signing secret when the EXPRESS_SESSION_SECRET environment variable is not configured. An unauthenticated remote attacker can use this known secret to forge valid signed session cookies and impersonate any user, bypassing authentication entirely. A patched-image rebuild at version 3.1.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-56278 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Flowise. Any image running Flowise below 3.1.0 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 9.3 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at Flowise 3.1.0 becomes available on HarborGuard once the fix version is confirmed against the affected image. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Flowise service over the network; the vulnerability is exposed on any internet- or intranet-accessible deployment.

  • AuthenticationNot required

    No account or credentials are needed; the attacker forges a valid session cookie using the publicly known default secret without prior authentication.

  • Victim interactionNot required

    No user action is needed; the attacker crafts and submits the forged cookie directly to the server without involving any victim.

  • Attack complexityDetail

    Exploit complexity is low: the default secret is static and publicly visible in source code, so cookie forgery is straightforward and requires no special conditions or timing.

Blast Radius

  • Attacker forges a session cookie signed with the known default secret and gains authenticated access as any target user, including administrators.
  • With administrative session access, the attacker reads all workflow definitions, credentials stored in Flowise, and any data accessible through the impersonated account.
  • The attacker modifies or deletes LLM workflows, alters stored API keys or tool configurations, and injects malicious nodes into production pipelines.
  • Because the session secret is a deployment-wide default, every active user session in an unpatched deployment with the default secret is vulnerable to impersonation simultaneously.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56278 is matched against customer images within minutes of publication, covering any registry or pipeline image that packages Flowise below 3.1.0. Given the Critical CVSS v4.0 score of 9.3 and the zero-barrier exploitation path (no credentials, no victim interaction, publicly known secret), this finding is surfaced at the highest urgency tier. A patched-image rebuild targeting Flowise 3.1.0 is available; for customers with auto-remediation enabled, HarborGuard can trigger the rebuild, execute regression tests, and open a pull request against affected workloads. Median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding for manual review. As an immediate compensating control, operators should set the EXPRESS_SESSION_SECRET environment variable to a strong random value and restart the service; network-policy rules restricting unauthenticated external access to the Flowise port also reduce exposure while the image rebuild is in progress.

See how HarborGuard automates this

Fix available

3.1.0
Affected packages
  • Flowise / Flowise
    < 3.1.0 (from 0)
    Fixed in 3.1.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N