VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions

CVE-2026-47721

Description

Summary

An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators.

Details

The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications.

As a result, authenticated users with non-administrative roles could create or modify scheduled actions that execute privileged operations, including device value changes and server-side script execution.

The issue was fixed in version 1.3.2 by enforcing the appropriate permission checks for scheduler modifications.

Impact

An operator-level user in FUXA reaches the PLC-write and server-side-script-execution surface that the platform otherwise restricts to administrators. In a SCADA deployment those two privileges cover setpoint control and the automation scripting engine. Alice schedules a job that rewrites a pump's enable tag, opens a safety interlock, or runs a project script that walks the device tree. The scheduled-action model extends the attack: Alice does not need to keep a session open for the action to fire, and a repeating schedule re-applies her changes every cycle even if an admin reverts them manually.

CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (Medium, 6.3). CWE-862.

Recommended

Fix

Add authJwt.haveAdminPermission(permission) to both POST /api/scheduler and DELETE /api/scheduler, matching every other write endpoint that reaches runtime.devices.setTagValue or runtime.scriptsMgr.runScript.

schedulerApp.post("/api/scheduler", secureFnc, function(req, res) {
    if (res.statusCode === 403) {
        runtime.logger.error("api post scheduler: Tocken Expired");
        return;
    }
    const permission = checkGroupsFnc(req);
    const isGuest = authJwt.isGuestUser(req.userId, req.userGroups);
    if (runtime.settings?.secureEnabled && (isGuest || !authJwt.haveAdminPermission(permission))) {
        res.status(401).json({error:"unauthorized_error", message: "Unauthorized!"});
        runtime.logger.error("api post scheduler: admin permission required");
        return;
    }
    // ... rest unchanged ...
});

Apply the same change to the delete handler at server/api/scheduler/index.js:102-112. As defense in depth, the scheduler service should also validate each deviceActions entry against the creator's stored groups before execution (e.g., reject onRunScript on any scheduler whose author is not an admin at execution time).

--- A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.

--- *Found by aisafe.io*

Affected products

2

Patches

1
e16b7a8818c4

Build for release 1.3.2

https://github.com/frangoteam/fuxaunocelliMay 19, 2026Fixed in 1.3.2via release-tag
commit
6 files changed · +18 5
  • client/dist/index.html+1 1 modified
    @@ -86,6 +86,6 @@
             </div>
         </div>
     </app-root>
-<script src="runtime.9136a61a9b98f987.js" type="module"></script><script src="polyfills.d7de05f9af2fb559.js" type="module"></script><script src="scripts.d9e6ee984bf6f3b7.js" defer></script><script src="main.e774d930909a7512.js" type="module"></script></body>
+<script src="runtime.9136a61a9b98f987.js" type="module"></script><script src="polyfills.d7de05f9af2fb559.js" type="module"></script><script src="scripts.d9e6ee984bf6f3b7.js" defer></script><script src="main.6b9fca5ddf0b0488.js" type="module"></script></body>
 
 </html>
  • client/dist/main.6b9fca5ddf0b0488.js+1 1 renamed
  • client/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "fuxa",
-  "version": "1.3.2-2826",
+  "version": "1.3.2-2827",
   "keywords": [],
   "author": "frangoteam <info@frangoteam.org>",
   "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software",
  • client/proxy.conf.json+13 0 modified
    @@ -1,4 +1,17 @@
 {
+    "/api": {
+      "target": "http://127.0.0.1:1881",
+      "secure": false,
+      "logLevel": "debug",
+      "changeOrigin": true
+    },
+    "/socket.io": {
+      "target": "http://127.0.0.1:1881",
+      "secure": false,
+      "logLevel": "debug",
+      "changeOrigin": true,
+      "ws": true
+    },
     "/resources": {
       "target": "http://127.0.0.1:1881",
       "secure": false,
  • .github/workflows/docker_release.yml+1 1 modified
    @@ -2,7 +2,7 @@ name: Build and Publish DHI release
 
 env:
   app: fuxa
-  version: 1.3.1
+  version: 1.3.2
   # for available platforms see output of a previous run -
   # ie the "Setup Docker BuildX" / "Inspect Builder" section
   # has eg "node_platforms": "linux/amd64,linux/arm64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6"
  • server/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "fuxa-server",
-  "version": "1.3.2-2826",
+  "version": "1.3.2-2827",
   "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software",
   "main": "main.js",
   "scripts": {

Vulnerability mechanics

Root cause

"The Scheduler API did not correctly enforce administrator permissions for scheduler modifications."

Attack vector

An authenticated user with non-administrative privileges can exploit this vulnerability. By sending a crafted request to the Scheduler API, they can create or modify scheduled actions. These actions can then execute privileged operations such as changing device values or running server-side scripts, which are normally restricted to administrators [ref_id=1]. The scheduled nature of these actions means they can execute even if the user's session is closed, and repeating schedules can re-apply changes.

Affected code

The vulnerability lies within the Scheduler API, specifically in the handling of `POST /api/scheduler` and `DELETE /api/scheduler` requests. The provided patch indicates changes to `server/package.json` and related build files, but the core logic fix is described as adding `authJwt.haveAdminPermission(permission)` to these endpoints, as shown in the example for the POST handler [ref_id=1].

What the fix does

The fix involves adding a check for administrator permissions using `authJwt.haveAdminPermission(permission)` to both the `POST /api/scheduler` and `DELETE /api/scheduler` endpoints [patch_id=5276387]. This ensures that only users with administrative privileges can modify or create scheduled actions that perform sensitive operations like `runtime.devices.setTagValue` or `runtime.scriptsMgr.runScript`. This aligns the scheduler endpoints with other write endpoints that already enforce these permission checks [ref_id=1].

Preconditions

  • authThe attacker must be an authenticated user with non-administrative privileges.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.