GHSA-vwcg-c828-9822
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vwcg-c828-9822
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vwcg-c828-9822/GHSA-vwcg-c828-9822.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vwcg-c828-9822
- Published
- 2026-02-05T00:27:53Z
- Modified
- 2026-02-05T07:33:50.912892Z
- Severity
-
- 10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
- Details
-
Description
An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled. This issue has been patched in FUXA version 1.2.10.
Impact
Affected deployments are those with
runtime.settings.secureEnabledset totrue.Exploitation allows an unauthenticated, remote attacker to bypass all authentication mechanisms and obtain administrative access to the FUXA instance by minting administrator JWTs via the heartbeat refresh endpoint. With these elevated privileges, the attacker can interact with administrative APIs, including intended features designed for automation and scripting, to execute arbitrary code in the context of the FUXA service. Depending on deployment configuration and permissions, this may lead to full system compromise and could further expose connected ICS/SCADA environments to follow-on actions.
Patches
This issue has been patched in FUXA version 1.2.10. Users are strongly encouraged to update to the latest available release.
- Database specific
{ "cwe_ids": [ "CWE-285", "CWE-287" ], "github_reviewed_at": "2026-02-05T00:27:53Z", "nvd_published_at": null, "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
npm / fuxa-server
Package
- Name
- fuxa-server
- View open source insights on deps.dev
- Purl
- pkg:npm/fuxa-server