FUXA provides guest and invalid-token access to protected read APIs in secure mode
Description
Summary
When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs.
Details
In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints.
Confirmed behavior:
- guest
GET /api/projectreturned200 OK - invalid-token requests to
/api/projectalso returned successful responses containing project data - guest and invalid-token requests also returned
200 OKon: /api/alarms/api/scheduler
Relevant code paths identified during analysis:
server/api/jwt-helper.jsverifyToken()converts missing-token or invalid-token states into guest context instead of rejecting the requestserver/api/projects/index.jsserver/api/alarms/index.jsserver/api/scheduler/index.js
These handlers accepted the guest context and returned sensitive data in secure mode.
PoC
Tested only against isolated local lab instances under the original tester's control. No production, customer, shared, or third-party systems were involved.
Reproduction:
1. Start FUXA 1.3.0-2773. 2. Set secureEnabled=true. 3. Send unauthenticated requests to: - GET /api/project - GET /api/alarms - GET /api/scheduler?id=test 4. Observe 200 OK responses. 5. Send the same requests with an explicitly invalid x-access-token value. 6. Observe the same successful responses.
The exact HTTP requests and local PoC script used for confirmation can be provided upon request.
Impact
This is an authentication/authorization weakness in secure mode.
Impact includes:
- project metadata disclosure
- alarms disclosure
- scheduler information disclosure
- assistance in reconnaissance/follow-on attacks
Operators who believe secure mode protects these APIs are impacted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FUXA 1.3.0-2773 with secureEnabled=true allows unauthenticated access to project, alarms, and scheduler APIs due to improper token validation.
Vulnerability
In FUXA version 1.3.0-2773 with secureEnabled=true, the verifyToken() function in server/api/jwt-helper.js converts missing or invalid tokens into a guest context instead of rejecting the request. Handlers in server/api/projects/index.js, server/api/alarms/index.js, and server/api/scheduler/index.js accept this guest context and return sensitive data. This affects only version 1.3.0-2773 [1][2].
Exploitation
An attacker with network access to the FUXA instance can send unauthenticated GET requests to /api/project, /api/alarms, and /api/scheduler?id=test. No authentication or user interaction is required. The server responds with 200 OK and returns project metadata, alarms, and scheduler information. Even requests with an explicitly invalid x-access-token header succeed [1][2].
Impact
Successful exploitation leads to disclosure of project metadata, alarms, and scheduler information. This aids reconnaissance and follow-on attacks. The vulnerability is an authentication/authorization weakness in secure mode, undermining the protection operators expect [1][2].
Mitigation
The fix is released in version 1.3.1 [3]. Users should upgrade to 1.3.1 or later. No workaround is mentioned. The vulnerability is not listed on CISA KEV as of publication [1][2][3].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: = 1.3.0-2773
Patches
178534da61a91Security fixes (#2260)
3 files changed · +7 −8
server/api/command/index.js+1 −1 modified@@ -78,7 +78,7 @@ module.exports = { if (res.statusCode === 403) { runtime.logger.error("api get getTagValue: Tocken Expired"); } else if (!authJwt.haveAdminPermission(permission) && !runtime.scriptsMgr.isAuthorisedByScriptName(req.query.sourceScriptName, permission)) { - res.status(400).json({error:"unauthorized_error", message: "Unauthorized!"}); + res.status(401).json({error:"unauthorized_error", message: "Unauthorized!"}); runtime.logger.error("api get getTagValue: Unauthorized"); } else { try {
server/integrations/node-red/index.js+4 −5 modified@@ -152,12 +152,11 @@ async function mountNodeRedIfInstalled({ app, server, settings, runtime, logger, }); }; - // Allow public dashboard UI and socket.io; require JWT or API key for admin/editor/flows when security is enabled + // Allow only dashboard routes as public; require JWT or API key for admin/editor/flows when security is enabled const allowDashboard = (req, res, next) => { - const url = req.originalUrl || req.url || req.path; - - // Public dashboard UI and its HTTP APIs (served from httpNodeRoot/ui.path) - if (url.includes('/dashboard') || url.includes('/socket.io')) return next(); + // Public dashboard UI and its HTTP APIs (served from httpNodeRoot/ui.path). + // baseUrl comes from Express mount point and is not affected by query/path tricks. + if (req.baseUrl === '/dashboard') return next(); if (!settings.secureEnabled || settings.nodeRedAuthMode === 'legacy-open') { return next();
server/runtime/scripts/index.js+2 −2 modified@@ -106,7 +106,7 @@ function ScriptsManager(_runtime) { this.isAuthorisedByScriptName = function (scriptName, permission) { const script = scriptModule.getScriptByName(scriptName); if (!script) { - return true; + return false; } return this.isAuthorised(script, permission); } @@ -366,4 +366,4 @@ const ScriptSchedulingMode = { const SchedulerType = { weekly: 0, date: 1, -} \ No newline at end of file +}
Vulnerability mechanics
Root cause
"verifyToken() converts missing or invalid tokens into a guest context instead of rejecting the request, and route handlers return sensitive data under that guest context in secure mode."
Attack vector
An attacker sends HTTP GET requests to `/api/project`, `/api/alarms`, or `/api/scheduler` without any `x-access-token` header, or with an explicitly invalid token value [ref_id=2][ref_id=3]. The `verifyToken()` function in `server/api/jwt-helper.js` silently converts these missing/invalid-token states into a guest context rather than rejecting the request [ref_id=2][ref_id=3]. The route handlers then process the request under the guest context and return sensitive project, alarm, and scheduler data in the HTTP 200 OK response [ref_id=2][ref_id=3]. No authentication or prior access is required; the only precondition is that the server is running FUXA 1.3.0-2773 with `secureEnabled=true` [ref_id=2][ref_id=3].
Affected code
The vulnerability resides in `server/api/jwt-helper.js`, where `verifyToken()` converts missing-token or invalid-token states into a guest context instead of rejecting the request [ref_id=2][ref_id=3]. The downstream route handlers in `server/api/projects/index.js`, `server/api/alarms/index.js`, and `server/api/scheduler/index.js` accept this guest context and return sensitive data even when `secureEnabled=true` [ref_id=2][ref_id=3].
What the fix does
The advisory references a fix in FUXA v1.3.1 [ref_id=2], but the bundle does not include a patch diff. Based on the root cause described in the advisory, the fix must modify `verifyToken()` in `server/api/jwt-helper.js` to reject requests that carry no token or an invalid token when `secureEnabled=true`, rather than downgrading them to a guest context [ref_id=2][ref_id=3]. The route handlers in `server/api/projects/index.js`, `server/api/alarms/index.js`, and `server/api/scheduler/index.js` should also enforce an authorization check that denies guest contexts from accessing protected read endpoints [ref_id=2][ref_id=3].
Preconditions
- configFUXA 1.3.0-2773 must be running with secureEnabled=true
- authNo authentication token required; attacker can send requests without any token or with an invalid token
- networkAttacker must have network access to the FUXA server's HTTP endpoint
- inputAttacker sends GET requests to /api/project, /api/alarms, or /api/scheduler
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.