Description
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by a failure to perform dot-segment path normalization in the FUXA REST API router. Authentication middleware is applied before normalizing path components, allowing attackers to prepend sequences such as "/api/./users" or "/api/project/../users" to protected endpoints. These malformed requests are treated as legitimate and return sensitive user and role information without any credentials, violating confidentiality. The flaw is identified as CWE-290, an Authentication Bypass via Spoofing.

Affected Systems

The affected product is Frangoteam’s FUXA SCADA/HMI system. Versions 1.3.1 and all earlier releases contain the flaw. Updating to version 1.3.2 or later removes the vulnerability.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is considered high severity. The EPSS score is not available, and the variant is not listed in the CISA KEV catalog, indicating that no publicly documented exploits are known at this time. The likely attack vector is a network-based exploit where an attacker sends HTTP requests to the exposed REST API. If the API is reachable from the public or untrusted networks, an attacker can craft dot-segment requests to harvest user and role data without authentication.

Generated by OpenCVE AI on June 30, 2026 at 22:25 UTC.

Remediation

Vendor Solution

Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frangoteam/FUXA/releases. https://github.com/frangoteam/FUXA/releases


OpenCVE Recommended Actions

  • Upgrade FUXA to version 1.3.2 or later
  • Restrict network access to the REST API using firewall rules or network segmentation
  • If possible, disable or block public exposure of the REST API until the update is applied

Generated by OpenCVE AI on June 30, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
Title Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-30T20:24:33.449Z

Reserved: 2026-06-24T14:31:56.877Z

Link: CVE-2026-13207

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing