Product
Flowise versions 3.0.13 and earlier are vulnerable due to hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER'), allowing an attacker to forge valid JWTs and impersonate any user, including administrators, leading to an authentication bypass if environment variables are not explicitly set.