Skip to main content

FUXA CVE-2026-47718

MEDIUM
Improper Authentication (CWE-287)
2026-05-28 https://github.com/frangoteam/FUXA GHSA-r9g5-7q8j-958c
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 28, 2026 - 21:21 vuln.today
Analysis Generated
May 28, 2026 - 21:21 vuln.today

DescriptionCVE.org

Summary

When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs.

Details

In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints.

Confirmed behavior:

  • guest GET /api/project returned 200 OK
  • invalid-token requests to /api/project also returned successful responses containing project data
  • guest and invalid-token requests also returned 200 OK on:
  • /api/alarms
  • /api/scheduler

Relevant code paths identified during analysis:

  • server/api/jwt-helper.js
  • verifyToken() converts missing-token or invalid-token states into guest context instead of rejecting the request
  • server/api/projects/index.js
  • server/api/alarms/index.js
  • server/api/scheduler/index.js

These handlers accepted the guest context and returned sensitive data in secure mode.

PoC

Tested only against isolated local lab instances under the original tester's control. No production, customer, shared, or third-party systems were involved.

Reproduction:

  1. Start FUXA 1.3.0-2773.
  2. Set secureEnabled=true.
  3. Send unauthenticated requests to:
  • GET /api/project
  • GET /api/alarms
  • GET /api/scheduler?id=test
  1. Observe 200 OK responses.
  2. Send the same requests with an explicitly invalid x-access-token value.
  3. Observe the same successful responses.

The exact HTTP requests and local PoC script used for confirmation can be provided upon request.

Impact

This is an authentication/authorization weakness in secure mode.

Impact includes:

  • project metadata disclosure
  • alarms disclosure
  • scheduler information disclosure
  • assistance in reconnaissance/follow-on attacks

Operators who believe secure mode protects these APIs are impacted.

AnalysisAI

Authentication bypass in FUXA 1.3.0-2773 renders the secureEnabled=true configuration ineffective, exposing project topology, alarm configurations, and scheduler data to unauthenticated or invalid-token HTTP requests. The flaw originates in server/api/jwt-helper.js, where verifyToken() silently converts missing or malformed JWT tokens into a guest context rather than rejecting the request - and downstream route handlers accept that guest context without further authorization checks. Publicly available exploit code exists (documented reproduction steps in GitHub advisory GHSA-r9g5-7q8j-958c), and a vendor-confirmed fix was released in v1.3.1.

Technical ContextAI

FUXA is an open-source SCADA/HMI web application distributed as the npm package fuxa-server, used for industrial automation visualization and supervisory control. The vulnerability is rooted in CWE-287 (Improper Authentication): verifyToken() in server/api/jwt-helper.js contains authentication logic that maps both a missing x-access-token header and an explicitly invalid token value to a guest identity object, rather than returning an HTTP 401/403. The guest context is then propagated to route handlers in server/api/projects/index.js, server/api/alarms/index.js, and server/api/scheduler/index.js, which accept it and return sensitive data. The affected package is pkg:npm/fuxa-server at the exact pinned version 1.3.0-2773. The v1.3.1 release notes confirm the fix under issue #2260 as 'Security: authentication bypass in request routing logic'.

RemediationAI

Upgrade to FUXA v1.3.1, which is confirmed by both the npm advisory metadata and the GitHub release to resolve the authentication bypass via fix #2260 ('Security: authentication bypass in request routing logic'). The v1.3.1 release also addresses related security issues in the same release: authorization validation for /api/getTagValue, SQL injection in user/role storage, and script-related security hardening - making the upgrade broadly recommended beyond this specific CVE. The release is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.1. If immediate upgrade is not feasible, restrict network access to the FUXA HTTP interface using a firewall rule or authenticating reverse proxy (e.g., nginx with auth_basic) to prevent unauthenticated clients from reaching the /api/project, /api/alarms, and /api/scheduler endpoints. This perimeter control does not fix the underlying code defect and must be removed once patching is complete, as it may mask other vulnerabilities in the same codebase.

Share

CVE-2026-47718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy