#VU125528 Use of Password Hash With Insufficient Computational Effort in Flowise
Published: April 9, 2026
Vulnerability identifier: #VU125528
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-916
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to use of password hash with insufficient computational effort in the password hashing utility when generating bcrypt password hashes with the default salt rounds setting. A local privileged user can obtain password hashes and perform brute-force cracking to disclose sensitive information.
Existing password hashes generated with the weak default remain more susceptible to offline cracking if a database compromise occurs.
Remediation
Install security update from vendor's website.