AI Threat Alert
**Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai | ### Description JWT secrets have...
Full CISO analysis pending enrichment.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| flowise | npm | <= 3.0.13 | 3.1.0 |
Do you use flowise? You're affected.
Severity & Risk
Attack Surface
Recommended Action
Patch available
Update flowise to version 3.1.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is GHSA-cc4f-hjpj-g9p8?
Flowise: Weak Default JWT Secrets
Is GHSA-cc4f-hjpj-g9p8 actively exploited?
No confirmed active exploitation of GHSA-cc4f-hjpj-g9p8 has been reported, but organizations should still patch proactively.
How to fix GHSA-cc4f-hjpj-g9p8?
Update to patched version: flowise 3.1.0.
What is the CVSS score for GHSA-cc4f-hjpj-g9p8?
GHSA-cc4f-hjpj-g9p8 has a CVSS v3.1 base score of 5.6 (MEDIUM).
Technical Details
NVD Description
**Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai | ### Description JWT secrets have weak hardcoded defaults ('auth_token', 'refresh_token', 'AUDIENCE', 'ISSUER'). Attackers can forge valid JWTs and impersonate any user. ### Affected Code ``` const jwtAudience = process.env.JWT_AUDIENCE || 'AUDIENCE' const jwtIssuer = process.env.JWT_ISSUER || 'ISSUER' const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token' const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token' ``` ### Evidence All JWT defaults are weak strings. Refresh token falls back to auth token which is a design flaw. If any environment variable is unset, weak default is used. ### Impact Complete authentication bypass. Attackers can forge valid JWTs for any user account. No authentication required to access protected endpoints. Can escalate to admin access. ### Recommendation Remove all default secrets - require all JWT environment variables to be explicitly set. Add startup validation throwing error if any JWT secret is missing. Use cryptographically random secrets (256+ bits) for each secret independently. Implement JWT secret rotation mechanism. ### Notes The JWT secrets have genuinely weak hardcoded defaults ('auth_token', 'refresh_token', 'AUDIENCE', 'ISSUER') at lines 29-34. If an administrator deploys without setting the environment variables JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER, the application will use these trivially guessable values. An attacker knowing these defaults (which are publicly visible in the source code) can forge valid JWTs to impersonate any user, including administrators. The fallback chain at line 34 where jwtRefreshSecret falls back to jwtAuthTokenSecret is an additional design weakness - if only JWT_AUTH_TOKEN_SECRET is set, both tokens share the same secret. While .env.example files provide placeholder values, these are also weak and publicly visible. The application should fail to start if these secrets are not explicitly configured with strong values, rather than silently falling back to insecure defaults.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-40933 10.0 Analysis pending
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-30824 9.8 Flowise: auth bypass exposes NVIDIA NIM container endpoints
Same package: flowise CVE-2026-30821 9.8 flowise: Arbitrary File Upload enables RCE
Same package: flowise