Detections
Analytics

SCA: security update for flowise (GHSA-m7mq-85xj-9x33)

medium Tenable Self-Hosted Container Security Plugin ID 443879

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default
 value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in
 packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret
 derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens.
 An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace
 identifiers, and re-encrypt manipulated values such as altered user or workspace IDs. Because the JWT
 signature is validated separately, decrypting or tampering with this metadata does not by itself grant
 access, but the disclosure of internal identifiers and possible metadata manipulation could aid privilege
 escalation or unauthorized data access. (CVE-2026-56269)

Solution

Update the flowise library and its related packages to version 3.1.0 or later.

See Also

https://github.com/advisories/GHSA-m7mq-85xj-9x33

Plugin Details

Severity: Medium

ID: 443879

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 6/24/2026

Updated: 6/26/2026

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 3.9

Vector: CVSS2#AV:L/AC:H/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2026-56269

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.9

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.3

Threat Score: 0.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/16/2026

Vulnerability Publication Date: 4/16/2026

Reference Information

CVE: CVE-2026-56269

cwe: CWE-798