Skip to main content

CVE-2026-43946

HIGH
Incorrect Authorization (CWE-863)
2026-05-26 https://github.com/frangoteam/FUXA GHSA-fwcm-rqvw-j3p7
Authentication Bypass
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 00:02 vuln.today
Analysis Generated
May 27, 2026 - 00:02 vuln.today

DescriptionNVD

Summary

An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.

Details

The issue is caused by the combination of these code paths:

  • server/api/apikeys/verify-api-or-token.js:45 sends requests without x-api-key to authJwt.verifyToken(req, res, next).
  • server/api/jwt-helper.js:46-64 creates a signed guest token when no x-access-token is provided:

if (!token) { token = getGuestToken(); } and then populates req.userId / req.userGroups from that guest token.

  • server/api/command/index.js:76-105 exposes /api/getTagValue.
  • server/runtime/scripts/index.js:106-111 returns true when the referenced script does not exist:

if (!script) { return true; }

As a result, an unauthenticated request reaches /api/getTagValue as guest, and the authorization check is bypassed because isAuthorisedByScriptName() returns true when sourceScriptName is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.

PoC

Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.

AnalysisAI

Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: conduct an asset inventory to identify all instances running FUXA 1.3.0 (check fuxa-server npm package versions in production and staging environments). Within 7 days: deploy FUXA v1.3.1 across all affected systems, prioritizing production SCADA/IoT gateways. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-43946 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy