A critical vulnerability tracked as CVE-2026-56271 allows remote attackers to bypass authentication in Flowise by forging valid JWTs and impersonating arbitrary users, including administrators. The flaw affects versions before 3.1.0, including 3.0.13 and earlier, and stems from weak hardcoded default JWT secrets plus default audience and issuer values in the enterprise passport authentication middleware.
When the relevant JWT environment variables are not explicitly configured, Flowise falls back to publicly known defaults, effectively embedding insecure default credentials into the authentication path. The issue is rated CVSS v3.1 9.8 and CVSS v4.0 9.3 as remotely exploitable, and remediation guidance calls for upgrading to Flowise 3.1.0 or later and setting strong, unique JWT secrets along with custom audience and issuer values.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-56271 was publicly documented as a critical Flowise authentication bypass caused by weak hardcoded default JWT secrets and default audience and issuer values in enterprise passport authentication middleware. The disclosure notes remote exploitability and recommends upgrading to Flowise 3.1.0 or later with strong custom JWT settings.
Flowise addressed a critical authentication bypass vulnerability by making the issue affect versions before 3.1.0, including 3.0.13 and earlier. The flaw allowed attackers to forge JWTs and impersonate arbitrary users when default JWT secret, audience, and issuer values were used.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.