CVE-2026-56272

Description

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.

References

• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x2g5-fvc2-gqvp
• https://www.vulncheck.com/advisories/flowise-insufficient-password-salt-rounds-in-bcrypt-hashing