CVE-2026-13207 PUBLISHED

Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing

Assigner: icscert
Reserved: 24.06.2026 Published: 30.06.2026 Updated: 30.06.2026

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Frangoteam
Product FUXA SCADA/HMI
Versions Default: unaffected
  • affected from 0 to 1.3.1 (incl.)
  • Version 1.3.2 is unaffected

Solutions

Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frangoteam/FUXA/releases. https://github.com/frangoteam/FUXA/releases

Credits

  • Joshua Hayes of Cited Relevance LLC reported this vulnerability to CISA. finder

References

Problem Types

  • CWE-290 Authentication bypass by spoofing CWE