{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/flowise--3.1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-56271"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flowise (\u003c 3.1.0)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","jwt","hardcoded-credentials","web-application","critical-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Flowise"],"content_html":"\u003cp\u003eCVE-2026-56271 describes a critical authentication bypass vulnerability affecting Flowise versions 3.0.13 and earlier. The flaw originates from the application's enterprise passport authentication middleware, which utilizes weak, hardcoded default JWT secrets, 'auth_token' and 'refresh_token', along with default audience and issuer values, 'AUDIENCE' and 'ISSUER'. If corresponding environment variables, specifically \u003ccode\u003eJWT_AUTH_TOKEN_SECRET\u003c/code\u003e, \u003ccode\u003eJWT_REFRESH_TOKEN_SECRET\u003c/code\u003e, \u003ccode\u003eJWT_AUDIENCE\u003c/code\u003e, and \u003ccode\u003eJWT_ISSUER\u003c/code\u003e, are not explicitly configured by the user, Flowise silently reverts to these publicly known default values. This oversight allows an unauthenticated attacker to craft and sign valid JSON Web Tokens (JWTs) using these predictable secrets and values. By presenting a forged JWT, an attacker can bypass authentication mechanisms, impersonate any user, including administrators, and gain unauthorized access to the Flowise instance. This vulnerability poses a severe risk to the integrity and confidentiality of data managed by affected Flowise deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible Flowise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the Flowise instance is running a vulnerable version (3.0.13 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON Web Token (JWT) payload designed to impersonate an administrative user within the Flowise application.\u003c/li\u003e\n\u003cli\u003eThe attacker signs this forged JWT using the publicly known hardcoded default secrets ('auth_token' or 'refresh_token') and incorporates the default audience ('AUDIENCE') and issuer ('ISSUER') values.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the Flowise instance, including the forged JWT in the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe Flowise application, if operating with default environment variables, validates the forged JWT as legitimate due to the predictable secrets and values.\u003c/li\u003e\n\u003cli\u003eThe application grants the attacker administrative privileges, believing the forged token to be valid.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the Flowise instance, enabling unauthorized configuration changes, data exfiltration, or deployment of malicious AI flows.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-56271 results in a complete authentication bypass, granting attackers administrative access to the Flowise application. This allows for full compromise of the affected instance, including the ability to read, modify, or delete sensitive data, reconfigure system settings, or deploy arbitrary code through malicious AI flows. Given the nature of Flowise as a low-code platform for AI applications, this could lead to significant data breaches, intellectual property theft, or the use of compromised infrastructure for further attacks. The vulnerability carries a CVSS v3.1 Base Score of 9.8, indicating critical severity and a high potential for widespread, severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-56271 immediately by upgrading all Flowise instances to version 3.1.0 or newer.\u003c/li\u003e\n\u003cli\u003eVerify and immediately set unique and strong values for the \u003ccode\u003eJWT_AUTH_TOKEN_SECRET\u003c/code\u003e, \u003ccode\u003eJWT_REFRESH_TOKEN_SECRET\u003c/code\u003e, \u003ccode\u003eJWT_AUDIENCE\u003c/code\u003e, and \u003ccode\u003eJWT_ISSUER\u003c/code\u003e environment variables in all Flowise deployments, ensuring they are not using the publicly known defaults.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:18:39Z","date_published":"2026-07-12T12:18:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-flowise-jwt-auth-bypass/","summary":"Flowise versions 3.0.13 and earlier are vulnerable due to hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER'), allowing an attacker to forge valid JWTs and impersonate any user, including administrators, leading to an authentication bypass if environment variables are not explicitly set.","title":"Flowise Authentication Bypass via Hardcoded JWT Secrets (CVE-2026-56271)","url":"https://feed.craftedsignal.io/briefs/2026-07-flowise-jwt-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Flowise (\u003c 3.1.0)","version":"https://jsonfeed.org/version/1.1"}