Main Vulnerability Database Vulnerabilities #VU126237

Use of hard-coded credentials in Flowise - #VU126237

Published: April 15, 2026

Vulnerability identifier: #VU126237

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-798

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a local privileged user to disclose sensitive information and manipulate token metadata.

The vulnerability exists due to use of hard-coded credentials in tempTokenUtils.ts when deriving the token encryption key from an unset TOKEN_HASH_SECRET environment variable. A local privileged user can use the weak default secret to decrypt and modify encrypted token metadata to disclose sensitive information and manipulate token metadata.

User interaction is required, and the issue is exposed only when TOKEN_HASH_SECRET is not configured.

Remediation

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m7mq-85xj-9x33

Use of hard-coded credentials in Flowise - #VU126237

Detailed vulnerability description

Remediation

Sources

Please verify you're human