OWASP A02 · Security MisconfigurationCWE-798 Use of Hard-coded CredentialsHigh
Hardcoded / default secret — CWE-798
A fallback secret baked into the code becomes the same key on every deployment.
What happened
A recurring 2026 pattern in self-hosted AI tools (Flowise and others): a JWT or session secret with a hardcoded fallback like `process.env.SECRET || 'changeme'`. Operators who don't set the env var all run the identical key, so anyone who reads the public source can forge tokens for every unconfigured install.
The code
✕ Vulnerable — Secrets
const SECRET = process.env.JWT_SECRET || "changeme"; jwt.sign(payload, SECRET); // every default install shares "changeme"
✓ Fixed — Secrets
const SECRET = process.env.JWT_SECRET;
if (!SECRET) throw new Error("JWT_SECRET is required — refusing to start");
jwt.sign(payload, SECRET); // no fallback; fail to boot instead of failing openReferences
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.