GHSA-cc4f-hjpj-g9p8

Suggest an improvement
Source
https://github.com/advisories/GHSA-cc4f-hjpj-g9p8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cc4f-hjpj-g9p8/GHSA-cc4f-hjpj-g9p8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cc4f-hjpj-g9p8
Published
2026-04-16T21:21:12Z
Modified
2026-04-16T21:33:52.403151Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Flowise: Weak Default JWT Secrets
Details

Detection Method: Kolega.dev Deep Code Scan

| Attribute | Value | |---|---| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai |

Description

JWT secrets have weak hardcoded defaults ('authtoken', 'refreshtoken', 'AUDIENCE', 'ISSUER'). Attackers can forge valid JWTs and impersonate any user.

Affected Code

const jwtAudience = process.env.JWT_AUDIENCE || 'AUDIENCE'
const jwtIssuer = process.env.JWT_ISSUER || 'ISSUER'
const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token'
const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token'

Evidence

All JWT defaults are weak strings. Refresh token falls back to auth token which is a design flaw. If any environment variable is unset, weak default is used.

Impact

Complete authentication bypass. Attackers can forge valid JWTs for any user account. No authentication required to access protected endpoints. Can escalate to admin access.

Recommendation

Remove all default secrets - require all JWT environment variables to be explicitly set. Add startup validation throwing error if any JWT secret is missing. Use cryptographically random secrets (256+ bits) for each secret independently. Implement JWT secret rotation mechanism.

Notes

The JWT secrets have genuinely weak hardcoded defaults ('authtoken', 'refreshtoken', 'AUDIENCE', 'ISSUER') at lines 29-34. If an administrator deploys without setting the environment variables JWTAUTHTOKENSECRET, JWTREFRESHTOKENSECRET, JWTAUDIENCE, and JWTISSUER, the application will use these trivially guessable values. An attacker knowing these defaults (which are publicly visible in the source code) can forge valid JWTs to impersonate any user, including administrators. The fallback chain at line 34 where jwtRefreshSecret falls back to jwtAuthTokenSecret is an additional design weakness - if only JWTAUTHTOKEN_SECRET is set, both tokens share the same secret. While .env.example files provide placeholder values, these are also weak and publicly visible. The application should fail to start if these secrets are not explicitly configured with strong values, rather than silently falling back to insecure defaults.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:21:12Z",
    "cwe_ids": [
        "CWE-327"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

npm / flowise

Package

Name
flowise
View open source insights on deps.dev
Purl
pkg:npm/flowise

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cc4f-hjpj-g9p8/GHSA-cc4f-hjpj-g9p8.json"
last_known_affected_version_range 
"<= 3.0.13"