CVE-2026-13207
Received Received - Intake

Authentication Bypass in FUXA via Path Traversal

Vulnerability report for CVE-2026-13207, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: ICS-CERT

Description

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fuxa fuxa 1.3.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

FUXA versions 1.3.1 and earlier have an authentication bypass vulnerability in their REST API. This happens because the API router does not properly normalize dot-segment sequences (like "/./" or "/../") in the URL path before applying authentication checks. As a result, attackers can craft requests with these dot-segments to access protected endpoints without providing valid credentials.

  • For example, requests to paths such as /api/./users, /api/./roles, or /api/project/../users bypass authentication.

This flaw allows unauthorized users to retrieve sensitive user and role data from the system.

Impact Analysis

This vulnerability can have serious impacts because it allows attackers to bypass authentication and access sensitive information without any credentials.

  • Unauthorized access to user and role data could lead to information disclosure.
  • Attackers might gain insights into system users and permissions, potentially facilitating further attacks.

Overall, it compromises the confidentiality of sensitive data and the security of the system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart