PT-2026-53986 · Fuxa · Fuxa
Joshua Hayes
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-13207
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
FUXA versions prior to 1.3.2
Description
An authentication bypass exists in the REST API due to improper dot-segment path normalization. The API router does not normalize dot-segment sequences before the authentication middleware is applied. This allows unauthenticated users to access protected endpoints by prefixing paths with dot-segments, such as '/api/./users', '/api/./roles', and '/api/project/../users', resulting in the unauthorized disclosure of sensitive user and role data.
Recommendations
Update FUXA to version 1.3.2 or later.
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fuxa