CVE-2026-47718

描述

### Summary When `secureEnabled=true`, FUXA `1.3.0-2773` still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. ### Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest `GET /api/project` returned `200 OK` - invalid-token requests to `/api/project` also returned successful responses containing project data - guest and invalid-token requests also returned `200 OK` on: - `/api/alarms` - `/api/scheduler` Relevant code paths identified during analysis: - `server/api/jwt-helper.js` - `verifyToken()` converts missing-token or invalid-token states into guest context instead of rejecting the request - `server/api/projects/index.js` - `server/api/alarms/index.js` - `server/api/scheduler/index.js` These handlers accepted the guest context and returned sensitive data in secure mode. ### PoC Tested only against isolated local lab instances under the original tester's control. No production, customer, shared, or third-party systems were involved. Reproduction: 1. Start FUXA `1.3.0-2773`. 2. Set `secureEnabled=true`. 3. Send unauthenticated requests to: - `GET /api/project` - `GET /api/alarms` - `GET /api/scheduler?id=test` 4. Observe `200 OK` responses. 5. Send the same requests with an explicitly invalid `x-access-token` value. 6. Observe the same successful responses. The exact HTTP requests and local PoC script used for confirmation can be provided upon request. ### Impact This is an authentication/authorization weakness in secure mode. Impact includes: - project metadata disclosure - alarms disclosure - scheduler information disclosure - assistance in reconnaissance/follow-on attacks Operators who believe secure mode protects these APIs are impacted.

如何修補 CVE-2026-47718

要修補 CVE-2026-47718,請將受影響套件升級到下列已修補版本。

• —升級至 1.3.1 或更新版本

CVE-2026-47718 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47718 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)