CVE-2026-13207
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
Risk Assessment
The risk involves unauthorized access to sensitive user and role data, potentially leading to information disclosure, privilege escalation, or further attacks on the system.
Recommendation
It is recommended to immediately update FUXA to a version later than 1.3.1 that includes a fix for normalizing paths before authentication. If an update is not possible, temporarily restrict API access using a firewall or reverse proxy.
Original NVD description (English source)
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

