Skip to main content

Fullstep V5 EUVDEUVD-2026-24744

| CVE-2026-5749 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-22 INCIBE
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 14:59 vuln.today
CVSS changed
Apr 22, 2026 - 14:22 NVD
8.7 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 14:00 euvd
EUVD-2026-24744
Analysis Generated
Apr 22, 2026 - 14:00 vuln.today
Patch released
Apr 22, 2026 - 14:00 nvd
Patch available
CVE Published
Apr 22, 2026 - 13:23 nvd
HIGH 8.7

DescriptionCVE.org

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.

AnalysisAI

Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.

Technical ContextAI

This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the Fullstep V5 registration endpoint fails to implement adequate access control mechanisms. JWT (JSON Web Tokens) are commonly used for stateless authentication in REST APIs, where a signed token proves the bearer's identity and permissions. The flaw allows the registration process to issue valid, signed JWT tokens without proper validation of the requester's authorization. Once an attacker obtains a JWT token through this flawed registration flow, they can present it in API requests to bypass authentication checks on protected endpoints. The CVSS v4.0 vector shows network attack vector (AV:N), low complexity (AC:L), no attack requirements (AT:N), no privileges required (PR:N), and no user interaction (UI:N), indicating this is a straightforward remote attack against the application's authentication architecture. The impact is limited to vulnerable system confidentiality (VC:H) with no integrity or availability impact, suggesting read-only access to protected data.

RemediationAI

Apply the vendor-released patch immediately, available through the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep. Contact Fullstep support to obtain the specific patched version for your deployment, as exact version numbers are not provided in the CVE record. Until patching is complete, implement network-level compensating controls: restrict API access to trusted IP ranges using firewall rules or web application firewall (WAF) policies, particularly the registration endpoint; implement rate limiting on the registration endpoint to slow mass token generation attempts (trade-off: may impact legitimate user registration during high-traffic periods); deploy API gateway with additional authentication layers requiring pre-approved API keys for registration endpoint access (trade-off: changes user onboarding workflow); enable comprehensive API access logging to detect anomalous JWT token usage patterns post-exploitation; audit all JWT tokens issued through registration process and consider token revocation/rotation if unauthorized access is suspected (trade-off: forces re-authentication for legitimate users). Note that network restrictions only mitigate external threats and do not address insider risk scenarios.

Share

EUVD-2026-24744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy