CVE-2026-5749
Deferred Deferred - Pending Action
Inadequate Access Control in Fullstep V5 Registration Enables Unauthorized JWT Access

Publication date: 2026-04-22

Last updated on: 2026-05-19

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5749
EUVD
EUVD-2026-24744
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fullstep v5 *
fullstep fullstep 5.30.07
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated users to obtain valid JWT tokens and interact with authenticated API resources, potentially compromising the confidentiality of sensitive data.

Such a compromise of confidentiality can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized data access.

Executive Summary

CVE-2026-5749 is a critical vulnerability in Fullstep version 5 related to inadequate access control during the registration process.

This flaw allows unauthenticated users to obtain a valid JWT token, which normally should only be available to authenticated users.

With this token, an attacker can interact with API resources that require authentication, potentially compromising the confidentiality of those resources.

Impact Analysis

The vulnerability allows an unauthenticated attacker to gain access to authenticated API resources by obtaining a valid JWT token.

This can lead to unauthorized access to sensitive information, compromising the confidentiality of the affected resources.

Detection Guidance

This vulnerability involves unauthenticated users obtaining a valid JWT token through the registration process in Fullstep V5. Detection can focus on monitoring API requests to the registration endpoints for unusual token issuance without proper authentication.

You can look for suspicious API calls that result in JWT tokens being issued without authentication, especially targeting the registration process endpoints.

Example commands to detect such activity might include:

  • Using network traffic analysis tools like tcpdump or Wireshark to filter HTTP requests to the registration API endpoints.
  • Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'registration' to capture registration-related traffic.
  • Using log analysis to search for JWT token issuance without authentication in Fullstep server logs.
  • Example grep command: grep -i 'token issued' /var/log/fullstep/*.log | grep -v 'authenticated user'

Note that specific commands depend on your environment and logging setup, but focusing on unauthorized JWT token issuance in registration API calls is key.

Mitigation Strategies

The immediate mitigation step is to upgrade Fullstep to version 5.30.07 or later, as this version addresses and eliminates the vulnerability.

Until the upgrade can be applied, restrict access to the registration API endpoints to trusted users or networks to prevent unauthenticated token issuance.

Additionally, monitor and audit API usage for suspicious activity related to token issuance and access to authenticated resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart