CVE Catalog

CVE-2026-56272

MediumCVSS 4.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

0th percentile — higher than 0% of all known CVEs

Summary

Flowise before version 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

Risk Assessment

The risk is that in the event of a database breach, an attacker can quickly decrypt user passwords, leading to account takeover and potential access to sensitive data.

Recommendation

It is recommended to immediately upgrade Flowise to version 3.0.13 or later, which uses a more secure bcrypt configuration with at least 10 salt rounds.

Original NVD description (English source)

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS