logo

Database

Improper authorization control for web services In fuxa-server

Description

FUXA Unauthenticated Remote Arbitrary Scheduler Write

Summary

An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.

Impact

This affects all deployments, including those with runtime.settings.secureEnabled set to true.

Exploitation allows an unauthenticated, remote attacker to automatically authenticate as guest and create, modify or delete schedules. These schedules can be configured to trigger immediately or cyclically, forcing connected devices to specific states or values, or executing existing scripts on the server.

Patches

This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-259392. NVD-2026-259393. OSV-2026-259394. GHSA-c869-jx4c-q5fc5. GCVE-2026-25939

References

1. https://github.com/frangoteam/FUXA/security/advisories/GHSA-c869-jx4c-q5fc2. https://github.com/frangoteam/FUXA/pull/21743. https://github.com/frangoteam/FUXA/commit/5782b35117a9bd14ffcb881f8dfb8c6680157d9b4. https://github.com/frangoteam/FUXA/commit/aced6ad0b6089eea4e5cef51c0a88bf4f308d45f5. https://github.com/frangoteam/FUXA/releases/tag/v1.2.11

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.