CVE-2026-56272

Summary

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

Affected Software

VendorProductVersion RangeStatus
FlowiseFlowise0 < 3.0.13affected
FlowiseFlowise3.0.13unaffected

Weaknesses

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References