GHSA-m7mq-85xj-9x33 · Severity: medium · Ecosystem: npm — Flowise: Weak Default Token Hash Secret
Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs. Because the JWT signature is validated separately, decrypting or tampering with this metadata does not by itself grant access, but the disclosure of internal identifiers and possible metadata manipulation could aid privilege escalation or unauthorized data access.
Conclusion & alert: CVE-2026-56269 is rated Low Risk (17.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.09%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-25 | — | 0.09% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.3 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 4.6 | 3.1 | MEDIUM |
|
0.3 | 4.2 | [email protected] |
GHSA-m7mq-85xj-9x33 · Severity: medium · Ecosystem: npm — Flowise: Weak Default Token Hash Secret
| URL | Tags |
|---|---|
| https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m7mq-85xj-9x33 | Mitigation Vendor Advisory |
| https://www.vulncheck.com/advisories/flowise-weak-default-token-hash-secret-in-jwt-token-encryption | Third Party Advisory |