Use of hard-coded credentials in Flowise - #VU126238
Published: April 15, 2026
Vulnerability identifier: #VU126238
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-798
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a local privileged user to disclose sensitive information and modify application state by forging session cookies.
The vulnerability exists due to use of hard-coded credentials in the express-session secret configuration when the EXPRESS_SESSION_SECRET environment variable is not set. A local privileged user can create forged session cookies to disclose sensitive information and modify application state by impersonating arbitrary users.
The issue is exposed only when the application uses the default secret value 'flowise', and user interaction is required.
Remediation
Install security update from vendor's website.