CVSS Score: Medium Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-X2G5-FVC2-GQVP
Flowise, an open-source low-code tool for LLM applications, contains a cryptographic weakness where user passwords were hashed using bcrypt with an insufficient work factor (salt rounds). Versions prior to 2.2.6 defaulted to 5 salt rounds, significantly below industry standards. This low computational cost allows attackers who obtain the database to crack password hashes via offline brute-force attacks at high speeds.
Flowise configured bcrypt with only 5 salt rounds, making password hashes trivial to crack if the database is compromised. Fixed in version 2.2.6 by increasing rounds to 10 and auto-upgrading hashes on login.
- CWE ID: CWE-916
- Weakness Name: Use of Password Hash with Insufficient Computational Effort
- Attack Vector: Local / Physical (Database Access Required)
- Impact: Credential Compromise
- Severity: Medium
- Default Salt Rounds: 5 (Vulnerable) vs 10 (Fixed)
- Flowise (npm package)
- flowise: < 2.2.6 (Fixed in:
2.2.6)
- Update Flowise to version 2.2.6 or later.
- Rotate passwords for all administrative accounts.
- Configure higher salt rounds via environment variables.
Remediation Steps:
- Stop the running Flowise instance.
- Pull the latest Docker image (
flowiseai/flowise:latest) or update the npm package (npm install -g flowise). - Restart the service.
- Log out and log back in with all administrative accounts to trigger the automatic hash upgrade logic.
- Optionally, set
PASSWORD_SALT_HASH_ROUNDS=12in your.envfile for higher security.
Generated by CVEReports - Automated Vulnerability Intelligence