GHSA-R9G5-7Q8J-958C
Vulnerability from github – Published: 2026-05-28 20:33 – Updated: 2026-05-28 20:33Summary
When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs.
### Details
In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints.
Confirmed behavior:
- guest
GET /api/projectreturned200 OK - invalid-token requests to
/api/projectalso returned successful responses containing project data - guest and invalid-token requests also returned
200 OKon:/api/alarms/api/scheduler
Relevant code paths identified during analysis:
server/api/jwt-helper.jsverifyToken()converts missing-token or invalid-token states into guest context instead of rejecting the request
server/api/projects/index.jsserver/api/alarms/index.jsserver/api/scheduler/index.js
These handlers accepted the guest context and returned sensitive data in secure mode.
### PoC
Tested only against isolated local lab instances under the original tester's control. No production, customer, shared, or third-party systems were involved.
Reproduction:
- Start FUXA
1.3.0-2773. - Set
secureEnabled=true. - Send unauthenticated requests to:
GET /api/projectGET /api/alarmsGET /api/scheduler?id=test
- Observe
200 OKresponses. - Send the same requests with an explicitly invalid
x-access-tokenvalue. - Observe the same successful responses.
The exact HTTP requests and local PoC script used for confirmation can be provided upon request.
### Impact
This is an authentication/authorization weakness in secure mode.
Impact includes:
- project metadata disclosure
- alarms disclosure
- scheduler information disclosure
- assistance in reconnaissance/follow-on attacks
Operators who believe secure mode protects these APIs are impacted.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fuxa-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0-2773"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0-2773"
]
}
],
"aliases": [
"CVE-2026-47718"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T20:33:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\n When `secureEnabled=true`, FUXA `1.3.0-2773` still allows guest and invalid-token requests to read project, alarms, and scheduler APIs.\n\n ### Details\n\n In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints.\n\n Confirmed behavior:\n\n - guest `GET /api/project` returned `200 OK`\n - invalid-token requests to `/api/project` also returned successful responses containing project data\n - guest and invalid-token requests also returned `200 OK` on:\n - `/api/alarms`\n - `/api/scheduler`\n\n Relevant code paths identified during analysis:\n\n - `server/api/jwt-helper.js`\n - `verifyToken()` converts missing-token or invalid-token states into guest context instead of rejecting the request\n - `server/api/projects/index.js`\n - `server/api/alarms/index.js`\n - `server/api/scheduler/index.js`\n\n These handlers accepted the guest context and returned sensitive data in secure mode.\n\n ### PoC\n\n Tested only against isolated local lab instances under the original tester\u0027s control. No production, customer, shared, or third-party systems were involved.\n\n Reproduction:\n\n 1. Start FUXA `1.3.0-2773`.\n 2. Set `secureEnabled=true`.\n 3. Send unauthenticated requests to:\n - `GET /api/project`\n - `GET /api/alarms`\n - `GET /api/scheduler?id=test`\n 4. Observe `200 OK` responses.\n 5. Send the same requests with an explicitly invalid `x-access-token` value.\n 6. Observe the same successful responses.\n\n The exact HTTP requests and local PoC script used for confirmation can be provided upon request.\n\n ### Impact\n\n This is an authentication/authorization weakness in secure mode.\n\n Impact includes:\n\n - project metadata disclosure\n - alarms disclosure\n - scheduler information disclosure\n - assistance in reconnaissance/follow-on attacks\n\n Operators who believe secure mode protects these APIs are impacted.",
"id": "GHSA-r9g5-7q8j-958c",
"modified": "2026-05-28T20:33:11Z",
"published": "2026-05-28T20:33:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-r9g5-7q8j-958c"
},
{
"type": "PACKAGE",
"url": "https://github.com/frangoteam/FUXA"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "FUXA provides guest and invalid-token access to protected read APIs in secure mode"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.