Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware (packages/server/src/enterprise/middleware/passport/index.ts). When the corresponding environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER) are not set, the application silently falls back to these publicly known defaults, allowing an attacker to forge valid JWTs and impersonate any user, including administrators, resulting in authentication bypass.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Flowise versions 3.0.13 and earlier contain a critical authentication vulnerability in their enterprise passport middleware that uses hardcoded default JWT secrets and configuration values. When administrators fail to set required environment variables (JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, JWT_ISSUER), the application silently falls back to weak, publicly known defaults like 'auth_token' and 'refresh_token'. This vulnerability affects any organization deploying Flowise in enterprise environments without explicit configuration, allowing attackers to forge valid JWT tokens and gain unauthorized access to the platform with a CVSS score of 9.8. The silent fallback mechanism is particularly dangerous because administrators may believe their deployment is secure when it actually uses predictable cryptographic material.
While this CVE doesn't map to specific MITRE ATT&CK techniques, Casky's security skills would detect the underlying attack patterns through analysis of authentication traffic and token validation failures. Practitioners using Casky would identify suspicious JWT token generation attempts, detect repeated successful authentications with hardcoded credentials, and spot patterns consistent with CWE-321 (Use of Hard-Coded Cryptographic Key) violations. Casky's extended reasoning capabilities would flag environment variable configurations missing JWT secret definitions, correlate authentication logs showing tokens signed with weak keys, and highlight the dangerous pattern of unauthenticated fallbacks in security-critical middleware—enabling teams to remediate before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-56271. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation