PT-2026-53986 · Fuxa · Fuxa

Joshua Hayes

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-13207

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions FUXA versions prior to 1.3.2
Description An authentication bypass exists in the REST API due to improper dot-segment path normalization. The API router does not normalize dot-segment sequences before the authentication middleware is applied. This allows unauthenticated users to access protected endpoints by prefixing paths with dot-segments, such as '/api/./users', '/api/./roles', and '/api/project/../users', resulting in the unauthorized disclosure of sensitive user and role data.
Recommendations Update FUXA to version 1.3.2 or later.

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13207

Affected Products

Fuxa