Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.
AnalysisAI
Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.
Technical ContextAI
This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the Fullstep V5 registration endpoint fails to implement adequate access control mechanisms. JWT (JSON Web Tokens) are commonly used for stateless authentication in REST APIs, where a signed token proves the bearer's identity and permissions. The flaw allows the registration process to issue valid, signed JWT tokens without proper validation of the requester's authorization. Once an attacker obtains a JWT token through this flawed registration flow, they can present it in API requests to bypass authentication checks on protected endpoints. The CVSS v4.0 vector shows network attack vector (AV:N), low complexity (AC:L), no attack requirements (AT:N), no privileges required (PR:N), and no user interaction (UI:N), indicating this is a straightforward remote attack against the application's authentication architecture. The impact is limited to vulnerable system confidentiality (VC:H) with no integrity or availability impact, suggesting read-only access to protected data.
RemediationAI
Apply the vendor-released patch immediately, available through the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep. Contact Fullstep support to obtain the specific patched version for your deployment, as exact version numbers are not provided in the CVE record. Until patching is complete, implement network-level compensating controls: restrict API access to trusted IP ranges using firewall rules or web application firewall (WAF) policies, particularly the registration endpoint; implement rate limiting on the registration endpoint to slow mass token generation attempts (trade-off: may impact legitimate user registration during high-traffic periods); deploy API gateway with additional authentication layers requiring pre-approved API keys for registration endpoint access (trade-off: changes user onboarding workflow); enable comprehensive API access logging to detect anomalous JWT token usage patterns post-exploitation; audit all JWT tokens issued through registration process and consider token revocation/rotation if unauthorized access is suspected (trade-off: forces re-authentication for legitimate users). Note that network restrictions only mitigate external threats and do not address insider risk scenarios.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24744