GHSA-X2G5-FVC2-GQVP: Insufficient Bcrypt Salt Rounds in Flowise
Vulnerability ID: GHSA-X2G5-FVC2-GQVP
CVSS Score: Medium
Published: 2026-03-05
Flowise, an open-source low-code tool for LLM applications, contains a cryptographic weakness where user passwords were hashed using bcrypt with an insufficient work factor (salt rounds). Versions prior to 2.2.6 defaulted to 5 salt rounds, significantly below industry standards. This low computational cost allows attackers who obtain the database to crack password hashes via offline brute-force attacks at high speeds.
TL;DR
Flowise configured bcrypt with only 5 salt rounds, making password hashes trivial to crack if the database is compromised. Fixed in version 2.2.6 by increasing rounds to 10 and auto-upgrading hashes on login.
Technical Details
- CWE ID: CWE-916
- Weakness Name: Use of Password Hash with Insufficient Computational Effort
- Attack Vector: Local / Physical (Database Access Required)
- Impact: Credential Compromise
- Severity: Medium
- Default Salt Rounds: 5 (Vulnerable) vs 10 (Fixed)
Affected Systems
- Flowise (npm package)
-
flowise: < 2.2.6 (Fixed in:
2.2.6)
Mitigation Strategies
- Update Flowise to version 2.2.6 or later.
- Rotate passwords for all administrative accounts.
- Configure higher salt rounds via environment variables.
Remediation Steps:
- Stop the running Flowise instance.
- Pull the latest Docker image (
flowiseai/flowise:latest) or update the npm package (npm install -g flowise). - Restart the service.
- Log out and log back in with all administrative accounts to trigger the automatic hash upgrade logic.
- Optionally, set
PASSWORD_SALT_HASH_ROUNDS=12in your.envfile for higher security.
References
Read the full report for GHSA-X2G5-FVC2-GQVP on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)