Description
Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.
Published: 2026-04-22
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Unauthorized access and potential data exposure through unauthenticated token acquisition
Action: Immediate Patch
AI Analysis

Impact

Fullstep V5 contains an inadequate access control flaw that allows an unauthenticated user to register and receive a valid JSON Web Token (JWT). With this token the attacker can invoke authenticated API endpoints, thereby accessing protected resources and potentially exposing sensitive data. The vulnerability aligns with CWE‑306, improper authorization.

Affected Systems

Fullstep’s main product, versions 5.x prior to 5.30.07, are affected. The Fixed version 5.30.07, released on January 29, 2026, addresses the issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. EPSS information is not available, so the exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. A likely attack path involves a remote web request to the registration endpoint, enabling token acquisition without authentication. Once a token is obtained, the attacker can access otherwise protected API resources, potentially compromising confidentiality of the data exposed by those endpoints.

Generated by OpenCVE AI on April 22, 2026 at 15:00 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by the Fullstep team in version 5.30.07, which has been available in production since January 29, 2026.

OpenCVE Recommended Actions

  • Upgrade to Fullstep 5.30.07 or newer, which contains the fix for the token issuance flaw.
  • Limit exposure of the registration endpoint by restricting access to trusted networks or applying IP whitelisting to reduce the opportunity for unauthenticated requests.
  • Ensure that all API endpoints enforce proper authorization checks, verifying the JWT and associated scopes before granting access to protected resources.

Generated by OpenCVE AI on April 22, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.
Title Inadequate access control vulnerability in Fullstep
First Time appeared Fullstep
Fullstep fullstep
Weaknesses CWE-306
CPEs cpe:2.3:a:fullstep:fullstep:5.30.07:*:*:*:*:*:*:*
cpe:2.3:a:fullstep:fullstep:5:*:*:*:*:*:*:*
Vendors & Products Fullstep
Fullstep fullstep
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fullstep Fullstep
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-22T14:06:57.793Z

Reserved: 2026-04-07T15:31:14.737Z

Link: CVE-2026-5749

cve-icon Vulnrichment

Updated: 2026-04-22T14:02:57.631Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:17:05.993

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-5749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses