VYPR
← All advisories
High severity8.9GHSA Advisory· Published May 26, 2026· Updated May 26, 2026

FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection

CVE-2026-43945

Description

Pre-auth RCE in FUXA via Logic Bypass

Summary

A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).

Details The vulnerability is a Path Confusion flaw in the authentication middleware. The server uses a substring match on the full URL (including query parameters) to exclude certain paths from authentication.

Involved Logic:

JavaScript: `` const url = req.originalUrl || req.url || req.path; if (url.includes('/socket.io')) return next(); By appending ?x=/socket.io to any administrative request, the middleware is "tricked" into treating the request as a public WebSocket handshake, bypassing the secureEnabled and nodeRedAuthMode checks entirely. ``

Proof of Concept

A specially crafted request containing manipulated query parameters could bypass authentication checks on protected /nodered/* endpoints.

In configurations where Node-RED exposed privileged or command-execution capable nodes, this could lead to remote code execution within the container context.

Impact Access Level: Unauthenticated / Remote.

Privilege Level: Access to Node-RED administrative endpoints. Remote code execution may be possible depending on the Node-RED configuration and installed nodes.

CVSS 3.1 Score: High severity.

Description: An attacker can gain total control over the SCADA server, allowing them to intercept industrial data (MQTT/OPC-UA), manipulate PLC tags, or pivot into the internal OT network.

Root Cause & Remediation The root cause is the reliance on req.originalUrl for security-critical routing decisions.

The Fix: The developer must use req.path (which Express pre-parses to remove query strings) or a formal URL parser to ensure that the security check is performed only against the pathname.

JavaScript

// Secure approach
const pathname = req.path; 
if (pathname.startsWith('/socket.io/')) return next();

This issue affects only setups where Node-RED is enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated remote attacker can bypass authentication in FUXA v1.3.0-2706 via a path confusion in the middleware, leading to full RCE as root.

Vulnerability

A Path Confusion vulnerability in FUXA (v1.3.0-2706) affects the authentication middleware. The middleware uses a substring match on the full URL (including query parameters) via req.originalUrl or req.url to exclude certain paths from authentication, specifically checking if the URL includes /socket.io. An attacker can append ?x=/socket.io to any administrative request (e.g., to /nodered/* endpoints) to trick the middleware into treating the request as a public WebSocket handshake, thereby bypassing the secureEnabled and nodeRedAuthMode checks entirely [1][2].

Exploitation

An unauthenticated remote attacker sends a crafted HTTP request to a protected endpoint, appending ?x=/socket.io to the query string. The middleware incorrectly treats this as a request to /socket.io due to the substring match, and skips all authentication checks. This grants the attacker access to administrative Node-RED endpoints. If the Node-RED configuration includes privileged or command-execution-capable nodes, the attacker can then execute arbitrary commands within the container context [1][2].

Impact

Successful exploitation yields unauthenticated, remote access to Node-RED administrative endpoints, potentially leading to full remote code execution as root. An attacker could gain total control over the SCADA server, allowing interception of industrial data (MQTT/OPC-UA), manipulation of PLC tags, or pivoting into the internal OT network [1][2].

Mitigation

The vulnerability is fixed in FUXA version v1.3.1 [3]. The fix replaces the vulnerable substring check with a path-only comparison using req.path, which Express pre-parses to remove query strings, ensuring security decisions are based only on the pathname [1][2]. All users should upgrade to v1.3.1 or later. No workaround is available for unpatched versions.

References
  1. Pre-auth RCE via Path Manipulation & Configuration Injection
  2. CVE-2026-43945 - GitHub Advisory Database
  3. Release v1.3.1 · frangoteam/FUXA

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

3
78534da61a91

Security fixes (#2260)

https://github.com/frangoteam/fuxaUmberto NocelliMar 19, 2026Fixed in 1.3.1via llm-release-walk
commit
3 files changed · +7 8
  • server/api/command/index.js+1 1 modified
    @@ -78,7 +78,7 @@ module.exports = {
             if (res.statusCode === 403) {
                 runtime.logger.error("api get getTagValue: Tocken Expired");
             } else if (!authJwt.haveAdminPermission(permission) && !runtime.scriptsMgr.isAuthorisedByScriptName(req.query.sourceScriptName, permission)) {
-                res.status(400).json({error:"unauthorized_error", message: "Unauthorized!"});
+                res.status(401).json({error:"unauthorized_error", message: "Unauthorized!"});
                 runtime.logger.error("api get getTagValue: Unauthorized");
             } else {
                 try {
  • server/integrations/node-red/index.js+4 5 modified
    @@ -152,12 +152,11 @@ async function mountNodeRedIfInstalled({ app, server, settings, runtime, logger,
         });
     };
 
-    // Allow public dashboard UI and socket.io; require JWT or API key for admin/editor/flows when security is enabled
+    // Allow only dashboard routes as public; require JWT or API key for admin/editor/flows when security is enabled
     const allowDashboard = (req, res, next) => {
-        const url = req.originalUrl || req.url || req.path;
-
-        // Public dashboard UI and its HTTP APIs (served from httpNodeRoot/ui.path)
-        if (url.includes('/dashboard') || url.includes('/socket.io')) return next();
+        // Public dashboard UI and its HTTP APIs (served from httpNodeRoot/ui.path).
+        // baseUrl comes from Express mount point and is not affected by query/path tricks.
+        if (req.baseUrl === '/dashboard') return next();
 
         if (!settings.secureEnabled || settings.nodeRedAuthMode === 'legacy-open') {
             return next();
  • server/runtime/scripts/index.js+2 2 modified
    @@ -106,7 +106,7 @@ function ScriptsManager(_runtime) {
     this.isAuthorisedByScriptName = function (scriptName, permission) {
         const script = scriptModule.getScriptByName(scriptName);
         if (!script) {
-            return true;
+            return false;
         }
         return this.isAuthorised(script, permission);
     }
@@ -366,4 +366,4 @@ const ScriptSchedulingMode = {
 const SchedulerType = {
     weekly: 0,
     date: 1,
-}
\ No newline at end of file
+}
78534da61a91
https://github.com/frangoteam/fuxaFixed in 1.3.1via llm-release-walk
commit
78534da61a91
https://github.com/frangoteam/fuxaFixed in 1.3.1via llm-release-walk
commit

Vulnerability mechanics

Root cause

"The authentication middleware uses a substring match on the full URL (including query parameters) instead of the pathname alone, allowing query-string injection to bypass security checks."

Attack vector

An unauthenticated remote attacker sends a crafted HTTP request to a protected administrative endpoint (e.g., /nodered/*) with a query parameter such as ?x=/socket.io appended [ref_id=1][ref_id=2]. The middleware evaluates `req.originalUrl` with `.includes('/socket.io')`, which matches the injected query string rather than the actual path, causing it to call `next()` and skip all authentication checks [ref_id=1][ref_id=2]. This grants the attacker access to Node-RED administrative endpoints without any credentials. If Node-RED is configured with command-execution-capable nodes, the attacker can achieve full remote code execution as root within the container [ref_id=1][ref_id=2].

Affected code

The vulnerable authentication middleware in FUXA uses `req.originalUrl || req.url || req.path` and checks `if (url.includes('/socket.io')) return next();` [ref_id=1][ref_id=2]. This logic is present in the server-side authentication handler that gates access to protected endpoints such as `/nodered/*` [ref_id=1].

What the fix does

The patch (commit 78534da61a91613712b44bb63c8d7da8c5df5ca5) replaces the vulnerable `url.includes('/socket.io')` check that operated on `req.originalUrl` with a check using `req.path` and `pathname.startsWith('/socket.io/')` [patch_id=2594845][ref_id=1]. Express's `req.path` is pre-parsed to contain only the pathname without query parameters, so an attacker can no longer inject `/socket.io` via a query string to bypass authentication [ref_id=1]. The advisory recommends this exact approach as the secure fix [ref_id=1][ref_id=2].

Preconditions

  • configFUXA version 1.3.0-2706 or earlier (patched in >= 1.3.1)
  • configNode-RED must be enabled on the FUXA server
  • networkNetwork access to the FUXA web server (HTTP/HTTPS)

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.