{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-56278/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-30T22:08:27.947Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-56278","@id":"https://www.cve.org/CVERecord?id=CVE-2026-56278","description":"Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication."},"products":[{"@id":"cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 3.1.0.","timestamp":"2026-06-30T22:08:27.947Z"}]}