CVE-2026-56272: Flowise weak bcrypt enables 30x

CISO Take

Flowise prior to version 3.0.13 stores user passwords with a bcrypt work factor of 5 — just 32 iterations — versus the OWASP-recommended minimum of 10 rounds (1,024 iterations), making stored hashes approximately 30 times faster to crack using modern GPU hardware. While the CVSS score of 4.1 reflects that exploitation requires prior database access (local attack vector, high privileges required), the real-world threat materializes in a database exfiltration scenario: an attacker who steals the Flowise database can rapidly recover plaintext credentials and pivot into hosted AI agent pipelines, stored LLM API keys, and connected downstream services. There is no active exploitation on record (not in CISA KEV, no public exploit), but Flowise carries 104 other CVEs, signaling a persistent attack surface and elevated probability of a chained exploit path. Upgrade to Flowise 3.0.13 immediately and force a full password reset for all accounts post-upgrade.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk with disproportionate post-breach impact for AI infrastructure. The CVSS AV:L/AC:H/PR:H vector correctly limits base score to 4.1 — initial exploitation requires database-level access that itself implies significant prior compromise. However, for organizations where Flowise centrally stores API keys for LLM providers and vector databases, a single cracked admin credential cascades into full AI pipeline compromise. The 104 prior CVEs in the Flowise package compound risk by increasing the probability of a chained initial access path (e.g., a separate CVE grants DB access, this CVE accelerates credential recovery). No EPSS data is available to quantify exploitation likelihood.

How does the attack unfold?

Database Exfiltration

Attacker obtains the Flowise database through a chained vulnerability or misconfiguration — SQL injection, exposed backup, or storage bucket leak — extracting the users table containing bcrypt password hashes.

AML.T0025

Offline Credential Cracking

Using GPU-accelerated tooling against the bcrypt cost factor of 5, the attacker cracks password hashes approximately 30x faster than OWASP-compliant systems, recovering plaintext credentials for multiple accounts.

AML.T0055

Unauthorized Authentication

Attacker uses recovered plaintext credentials to authenticate to the Flowise instance as a legitimate user or admin, bypassing all session and access controls.

AML.T0012

AI Pipeline & Credential Harvest

Authenticated attacker extracts stored LLM API keys and service tokens from agent configurations, modifies AI workflows to exfiltrate user queries, and pivots laterally to connected downstream AI services.

AML.T0083

Database Exfiltration

Attacker obtains the Flowise database through a chained vulnerability or misconfiguration — SQL injection, exposed backup, or storage bucket leak — extracting the users table containing bcrypt password hashes.

AML.T0025

Offline Credential Cracking

Using GPU-accelerated tooling against the bcrypt cost factor of 5, the attacker cracks password hashes approximately 30x faster than OWASP-compliant systems, recovering plaintext credentials for multiple accounts.

AML.T0055

Unauthorized Authentication

Attacker uses recovered plaintext credentials to authenticate to the Flowise instance as a legitimate user or admin, bypassing all session and access controls.

AML.T0012

AI Pipeline & Credential Harvest

Authenticated attacker extracts stored LLM API keys and service tokens from agent configurations, modifies AI workflows to exfiltrate user queries, and pivots laterally to connected downstream AI services.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

4.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC High

PR High

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Upgrade Flowise to version 3.0.13 or later, which implements the OWASP-recommended bcrypt work factor of 10+ rounds.
After upgrading, force an immediate password reset for all user accounts to replace weakly-hashed credentials still resident in the database.
Rotate all LLM provider API keys and external service tokens stored in Flowise agent configurations as a precautionary measure if any database exposure is suspected.
Restrict database access to application-only service credentials; disable direct external connectivity to the Flowise DB.
Enable audit logging on the Flowise instance to detect anomalous authentication patterns.
Detection query: inspect bcrypt hashes stored in the user table — hashes beginning with '$2b$05$' indicate the vulnerable work factor of 5; any value below '$2b$10$' is non-compliant.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk controls

NIST AI RMF

MEASURE 2.5 - AI system cybersecurity testing

Frequently Asked Questions

What is CVE-2026-56272?

Flowise prior to version 3.0.13 stores user passwords with a bcrypt work factor of 5 — just 32 iterations — versus the OWASP-recommended minimum of 10 rounds (1,024 iterations), making stored hashes approximately 30 times faster to crack using modern GPU hardware. While the CVSS score of 4.1 reflects that exploitation requires prior database access (local attack vector, high privileges required), the real-world threat materializes in a database exfiltration scenario: an attacker who steals the Flowise database can rapidly recover plaintext credentials and pivot into hosted AI agent pipelines, stored LLM API keys, and connected downstream services. There is no active exploitation on record (not in CISA KEV, no public exploit), but Flowise carries 104 other CVEs, signaling a persistent attack surface and elevated probability of a chained exploit path. Upgrade to Flowise 3.0.13 immediately and force a full password reset for all accounts post-upgrade.

Is CVE-2026-56272 actively exploited?

No confirmed active exploitation of CVE-2026-56272 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56272?

1. Upgrade Flowise to version 3.0.13 or later, which implements the OWASP-recommended bcrypt work factor of 10+ rounds. 2. After upgrading, force an immediate password reset for all user accounts to replace weakly-hashed credentials still resident in the database. 3. Rotate all LLM provider API keys and external service tokens stored in Flowise agent configurations as a precautionary measure if any database exposure is suspected. 4. Restrict database access to application-only service credentials; disable direct external connectivity to the Flowise DB. 5. Enable audit logging on the Flowise instance to detect anomalous authentication patterns. 6. Detection query: inspect bcrypt hashes stored in the user table — hashes beginning with '$2b$05$' indicate the vulnerable work factor of 5; any value below '$2b$10$' is non-compliant.

What systems are affected by CVE-2026-56272?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI pipeline management, model serving.

What is the CVSS score for CVE-2026-56272?

CVE-2026-56272 has a CVSS v3.1 base score of 4.1 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow orchestrationAI pipeline managementmodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MEASURE 2.5

What are the technical details?

Original Advisory

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

Exploitation Scenario

An attacker targeting an organization's AI infrastructure identifies Flowise as a high-value credential store given its central role in orchestrating LLM workflows. Through a separate vulnerability — SQL injection, a misconfigured database backup in cloud storage, or a prior unpatched Flowise CVE — the attacker exfiltrates the Flowise database. Using hashcat with a GPU-accelerated rig and a standard wordlist attack, the attacker exploits the bcrypt cost factor of 5 to recover user passwords approximately 30x faster than a properly configured system. With recovered admin credentials, the attacker authenticates to the Flowise UI as a legitimate user, harvests all stored LLM API keys and vector database tokens from agent configurations, modifies workflows to silently exfiltrate user query data to an attacker-controlled endpoint, and pivots laterally to connected downstream services — all while appearing as an authenticated session.

Weaknesses (CWE)

CWE-916 Use of Password Hash With Insufficient Computational Effort

CWE-916 — Use of Password Hash With Insufficient Computational Effort: The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

[Architecture and Design] Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using thes
[Implementation, Architecture and Design] When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Source: MITRE CWE corpus.