CVE advisoryCRITICAL
CVE-2026-56271
Flowise Authentication Bypass via Weak Default JWT Secrets
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Flowise's authentication middleware is vulnerable due to weak, hardcoded default JWT secrets and values. If an application falls back to these defaults, an attacker could forge valid JWTs to impersonate any user, including administrators, leading to authentication bypass. This is a concern because it could allow unauth