AI Threat Alert
GHSA-2qqc-p94c-hxwh: Flowise: hardcoded session secret enables auth bypass
GHSA-2qqc-p94c-hxwh MEDIUMFlowise ships with a publicly known default session secret ('flowise') used to sign Express session cookies when EXPRESS_SESSION_SECRET is not explicitly configured — a hard-coded credential flaw (CWE-798) that allows any attacker with knowledge of the default to forge valid session cookies and impersonate any user, including administrators, with zero authentication. The .env.example file treats this variable as optional (commented out), virtually guaranteeing misconfigured production deployments exist in the wild; with 37 CVEs already attributed to this package, this is a pattern of systemic security debt in a widely adopted no-code AI agent platform. Despite a CVSS 5.6 medium score (scored with a local vector that underrepresents network exposure), the detection team rates practical exploitability as High — any internet-exposed Flowise instance on the default port is trivially compromised. Upgrade immediately to Flowise 3.1.0 and set EXPRESS_SESSION_SECRET to a cryptographically random 256-bit value; rotate all LLM API keys stored in the platform as a precaution.
What is the risk?
The CVSS 5.6 medium rating materially understates real-world risk. The vulnerability uses AV:L (local access vector), but session cookie forgery operates over the network against any HTTP-accessible Flowise deployment. The secret is publicly documented in source code — no reverse engineering, no brute force. Exploitation requires knowing the application name and basic cookie-signing mechanics, placing this firmly in the trivial category. Any Flowise instance ≤3.0.13 deployed without explicitly setting EXPRESS_SESSION_SECRET (a configuration the project itself treats as optional) is fully compromised without credentials. Effective severity for network-exposed instances is HIGH.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.0.13 | 3.1.0 |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade to Flowise 3.1.0 immediately — this is the patched version.
-
Set EXPRESS_SESSION_SECRET to a cryptographically strong random value (minimum 256 bits): generate with 'openssl rand -hex 32'.
-
Rotate all LLM API keys (OpenAI, Anthropic, etc.) and database credentials stored in or accessible via the Flowise instance — assume compromise if the variable was unset.
-
Audit session logs for anomalous authentication patterns or unexpected session activity prior to patching.
-
If immediate upgrade is not possible, restrict Flowise to internal network access only via firewall rules or reverse proxy access controls.
-
Detection: monitor for Express session cookie signatures that fail validation after secret rotation, which may indicate active forgery attempts against the old default.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-2qqc-p94c-hxwh?
Flowise ships with a publicly known default session secret ('flowise') used to sign Express session cookies when EXPRESS_SESSION_SECRET is not explicitly configured — a hard-coded credential flaw (CWE-798) that allows any attacker with knowledge of the default to forge valid session cookies and impersonate any user, including administrators, with zero authentication. The .env.example file treats this variable as optional (commented out), virtually guaranteeing misconfigured production deployments exist in the wild; with 37 CVEs already attributed to this package, this is a pattern of systemic security debt in a widely adopted no-code AI agent platform. Despite a CVSS 5.6 medium score (scored with a local vector that underrepresents network exposure), the detection team rates practical exploitability as High — any internet-exposed Flowise instance on the default port is trivially compromised. Upgrade immediately to Flowise 3.1.0 and set EXPRESS_SESSION_SECRET to a cryptographically random 256-bit value; rotate all LLM API keys stored in the platform as a precaution.
Is GHSA-2qqc-p94c-hxwh actively exploited?
No confirmed active exploitation of GHSA-2qqc-p94c-hxwh has been reported, but organizations should still patch proactively.
How to fix GHSA-2qqc-p94c-hxwh?
1. Upgrade to Flowise 3.1.0 immediately — this is the patched version. 2. Set EXPRESS_SESSION_SECRET to a cryptographically strong random value (minimum 256 bits): generate with 'openssl rand -hex 32'. 3. Rotate all LLM API keys (OpenAI, Anthropic, etc.) and database credentials stored in or accessible via the Flowise instance — assume compromise if the variable was unset. 4. Audit session logs for anomalous authentication patterns or unexpected session activity prior to patching. 5. If immediate upgrade is not possible, restrict Flowise to internal network access only via firewall rules or reverse proxy access controls. 6. Detection: monitor for Express session cookie signatures that fail validation after secret rotation, which may indicate active forgery attempts against the old default.
What systems are affected by GHSA-2qqc-p94c-hxwh?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, no-code AI platforms, LLM orchestration pipelines, AI workflow automation.
What is the CVSS score for GHSA-2qqc-p94c-hxwh?
GHSA-2qqc-p94c-hxwh has a CVSS v3.1 base score of 5.6 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration AML.T0091 Use Alternate Authentication Material Compliance Controls Affected
What are the technical details?
Original Advisory
**Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | packages/server/src/enterprise/middleware/passport/index.ts:55 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai | ### Description Express session secret has a weak default value 'flowise' when EXPRESS_SESSION_SECRET is not set. ### Affected Code ``` secret: process.env.EXPRESS_SESSION_SECRET || 'flowise' ``` ### Evidence The default session secret 'flowise' is publicly visible and weak. Session cookies signed with this secret can be forged by attackers. ### Impact Session hijacking and forgery - attackers can create arbitrary session cookies to impersonate any user, bypassing all authentication mechanisms. ### Recommendation Require EXPRESS_SESSION_SECRET to be set with a strong random value. Throw an error on startup if not configured. Use cryptographically strong random strings (minimum 256 bits). ### Notes The Express session secret defaults to the string 'flowise' when EXPRESS_SESSION_SECRET is not set (line 55). This secret is used to sign session cookies via express-session middleware. Since 'flowise' is publicly visible in the source code, an attacker can forge valid session cookies to impersonate any user without authentication. The .env.example file has this commented out (# EXPRESS_SESSION_SECRET=flowise), implying it's optional, which compounds the risk. Unlike development-only defaults, this code path is active in production if the environment variable is not set. The application should require EXPRESS_SESSION_SECRET to be explicitly configured with a cryptographically strong random value and fail to start otherwise.
Exploitation Scenario
An attacker identifies a publicly exposed Flowise instance via Shodan (default port 3000) or targeted reconnaissance against an organization known to use AI workflow tooling. Knowing the default secret 'flowise' from Flowise's public GitHub repository, they craft a forged Express session cookie signed with HMAC-SHA256 using the known secret, setting the session user to a valid admin account discovered via the Flowise API or UI. The server validates the cookie signature successfully and grants full admin access — no password, no MFA, no brute force. The attacker enumerates stored LLM credentials, exfiltrates OpenAI and Anthropic API keys, downloads agent configurations, and optionally modifies agent system prompts to inject malicious behavior into downstream AI pipelines.
Weaknesses (CWE)
CWE-798 — Use of Hard-coded Credentials: The product contains hard-coded credentials, such as a password or cryptographic key.
- [Architecture and Design] For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some protection.
- [Architecture and Design] For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise