GHSA-2qqc-p94c-hxwh

Suggest an improvement
Source
https://github.com/advisories/GHSA-2qqc-p94c-hxwh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2qqc-p94c-hxwh/GHSA-2qqc-p94c-hxwh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2qqc-p94c-hxwh
Published
2026-04-16T21:22:00Z
Modified
2026-04-16T21:33:54.091858Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Flowise: Weak Default Express Session Secret
Details

Detection Method: Kolega.dev Deep Code Scan

| Attribute | Value | |---|---| | Location | packages/server/src/enterprise/middleware/passport/index.ts:55 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai |

Description

Express session secret has a weak default value 'flowise' when EXPRESSSESSIONSECRET is not set.

Affected Code

secret: process.env.EXPRESS_SESSION_SECRET || 'flowise'

Evidence

The default session secret 'flowise' is publicly visible and weak. Session cookies signed with this secret can be forged by attackers.

Impact

Session hijacking and forgery - attackers can create arbitrary session cookies to impersonate any user, bypassing all authentication mechanisms.

Recommendation

Require EXPRESSSESSIONSECRET to be set with a strong random value. Throw an error on startup if not configured. Use cryptographically strong random strings (minimum 256 bits).

Notes

The Express session secret defaults to the string 'flowise' when EXPRESSSESSIONSECRET is not set (line 55). This secret is used to sign session cookies via express-session middleware. Since 'flowise' is publicly visible in the source code, an attacker can forge valid session cookies to impersonate any user without authentication. The .env.example file has this commented out (# EXPRESSSESSIONSECRET=flowise), implying it's optional, which compounds the risk. Unlike development-only defaults, this code path is active in production if the environment variable is not set. The application should require EXPRESSSESSIONSECRET to be explicitly configured with a cryptographically strong random value and fail to start otherwise.

Database specific 
{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:22:00Z",
    "nvd_published_at": null
}
References

Affected packages

npm / flowise

Package

Name
flowise
View open source insights on deps.dev
Purl
pkg:npm/flowise

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2qqc-p94c-hxwh/GHSA-2qqc-p94c-hxwh.json"
last_known_affected_version_range 
"<= 3.0.13"