Skip to main content

Flowise CVE-2026-56272

| EUVDEUVD-2026-38748 MEDIUM
Use of Password Hash With Insufficient Computational Effort (CWE-916)
2026-06-24 VulnCheck
5.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.1 MEDIUM

Requires prior database extraction under high privilege (PR:H, AC:H, AV:L); only confidentiality is impacted through accelerated offline hash cracking.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 12:22 vuln.today
Analysis Generated
Jun 24, 2026 - 12:22 vuln.today

DescriptionCVE.org

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

AnalysisAI

Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise Flowise host or database backup
Delivery
Extract bcrypt password hash table
Exploit
Load hashes into GPU cracking tool
Execution
Crack hashes at 30x accelerated rate due to cost factor 5
Persist
Recover plaintext user passwords
Impact
Authenticate to Flowise or reuse credentials externally

Vulnerability AssessmentAI

Exploitation Exploitation requires a prior, independent compromise of the Flowise database - the attacker must have already extracted the stored bcrypt hashes through a separate attack vector such as unauthorized database access, backup exposure, or server-level compromise (reflected in CVSS PR:H and AC:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N) accurately characterizes this as a post-breach amplifier: exploitation requires the attacker to have already obtained privileged access sufficient to extract the database (PR:H) under high attack complexity (AC:H), making this a secondary risk that magnifies the damage of an upstream compromise rather than an independently exploitable entry point. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a copy of the Flowise database - whether through an unrelated SQL injection, a cloud storage misconfiguration, or infrastructure compromise - loads the extracted bcrypt hash table into Hashcat or a similar GPU-accelerated cracking tool targeting hash-type 3200 (bcrypt). Because the hashes were generated at cost factor 5, the attacker achieves approximately 300,000 candidate tests per second on a single modern GPU rather than the ~10,000/second expected at OWASP-recommended rounds, reducing the time to exhaust common password lists from hours to minutes and enabling broader brute-force coverage. …
Remediation Upgrade Flowise to version 3.0.13 or later, which corrects the default bcrypt salt rounds; the upstream fix is tracked in GitHub PR #5665 at https://github.com/FlowiseAI/Flowise/pull/5665. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

CVE-2025-29189 HIGH POC
7.6 Apr 09

Flowise <= 2.2.3 is vulnerable to SQL Injection. Rated high severity (CVSS 7.6), this vulnerability is remotely exploita

CVE-2025-59527 HIGH POC
7.5 Sep 22

Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5),

Share

CVE-2026-56272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy