CVE Catalog

CVE-2026-13207

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

Risk Assessment

The risk involves unauthorized access to sensitive user and role data, potentially leading to information disclosure, privilege escalation, or further attacks on the system.

Recommendation

It is recommended to immediately update FUXA to a version later than 1.3.1 that includes a fix for normalizing paths before authentication. If an update is not possible, temporarily restrict API access using a firewall or reverse proxy.

Original NVD description (English source)

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS