CVE-2026-56272

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.1 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

Vulnerability Details

Published Date

June 24, 2026

Last Modified

June 24, 2026

CWE ID

CWE-916

Source

NVD

Vendor

Flowise

Product

Flowise

External References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x2g5-fvc2-gqvp
https://www.vulncheck.com/advisories/flowise-insufficient-password-salt-rounds-in-bcrypt-hashing

CVE-2026-56272

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment