Use of hard-coded cryptographic key in Flowise - #VU126239
Published: April 15, 2026
Vulnerability identifier: #VU126239
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-321
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a local privileged user to bypass authentication and impersonate any user.
The vulnerability exists due to use of hard-coded cryptographic keys in JWT secret handling in packages/server/src/enterprise/middleware/passport/index.ts when processing JWT-based authentication. A local privileged user can forge valid JWTs to bypass authentication and impersonate any user.
User interaction is required, and exploitation is possible when JWT environment variables are unset and weak default values are used.
Remediation
Install security update from vendor's website.