FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Frangoteam
Frangoteam fuxa Scada/hmi |
|
| Vendors & Products |
Frangoteam
Frangoteam fuxa Scada/hmi |
Tue, 30 Jun 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials. | |
| Title | Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing | |
| Weaknesses | CWE-290 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: icscert
Published: 2026-06-30T20:24:33.449Z
Updated: 2026-07-01T15:38:21.816Z
Reserved: 2026-06-24T14:31:56.877Z
Link: CVE-2026-13207
Updated: 2026-07-01T15:38:18.321Z
No data.
No data.