CVE-2026-5749
Inadequate Access Control in Fullstep V5 Registration Enables Unauthorized JWT Access
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fullstep | v5 | * |
| fullstep | fullstep | 5.30.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5749 is a critical vulnerability in Fullstep version 5 related to inadequate access control during the registration process.
This flaw allows unauthenticated users to obtain a valid JWT token, which normally should only be available to authenticated users.
With this token, an attacker can interact with API resources that require authentication, potentially compromising the confidentiality of those resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated users to obtain valid JWT tokens and interact with authenticated API resources, potentially compromising the confidentiality of sensitive data.
Such a compromise of confidentiality can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized data access.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated attacker to gain access to authenticated API resources by obtaining a valid JWT token.
This can lead to unauthorized access to sensitive information, compromising the confidentiality of the affected resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated users obtaining a valid JWT token through the registration process in Fullstep V5. Detection can focus on monitoring API requests to the registration endpoints for unusual token issuance without proper authentication.
You can look for suspicious API calls that result in JWT tokens being issued without authentication, especially targeting the registration process endpoints.
Example commands to detect such activity might include:
- Using network traffic analysis tools like tcpdump or Wireshark to filter HTTP requests to the registration API endpoints.
- Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'registration' to capture registration-related traffic.
- Using log analysis to search for JWT token issuance without authentication in Fullstep server logs.
- Example grep command: grep -i 'token issued' /var/log/fullstep/*.log | grep -v 'authenticated user'
Note that specific commands depend on your environment and logging setup, but focusing on unauthorized JWT token issuance in registration API calls is key.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Fullstep to version 5.30.07 or later, as this version addresses and eliminates the vulnerability.
Until the upgrade can be applied, restrict access to the registration API endpoints to trusted users or networks to prevent unauthenticated token issuance.
Additionally, monitor and audit API usage for suspicious activity related to token issuance and access to authenticated resources.