{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fuxa-server--1.3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fuxa-server (= 1.3.0)"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","information-disclosure","cve"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eFUXA server version 1.3.0 is vulnerable to an unauthenticated arbitrary tag value disclosure (CVE-2026-43946) via the \u003ccode\u003e/api/getTagValue\u003c/code\u003e endpoint. The vulnerability stems from an authorization bypass that occurs when a request is made to \u003ccode\u003e/api/getTagValue\u003c/code\u003e referencing a script that does not exist. This causes the \u003ccode\u003eisAuthorisedByScriptName()\u003c/code\u003e function to return \u003ccode\u003etrue\u003c/code\u003e for the guest user, effectively bypassing authentication checks. An unauthenticated attacker can then retrieve arbitrary tag values by ID. This vulnerability allows unauthorized access to potentially sensitive information managed by the FUXA server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP request to the \u003ccode\u003e/api/getTagValue\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request lacks an \u003ccode\u003ex-api-key\u003c/code\u003e header, so \u003ccode\u003eserver/api/apikeys/verify-api-or-token.js\u003c/code\u003e forwards the request to \u003ccode\u003eauthJwt.verifyToken(req, res, next)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSince no \u003ccode\u003ex-access-token\u003c/code\u003e is provided, \u003ccode\u003eserver/api/jwt-helper.js\u003c/code\u003e generates a signed guest token.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eserver/api/jwt-helper.js\u003c/code\u003e populates \u003ccode\u003ereq.userId\u003c/code\u003e and \u003ccode\u003ereq.userGroups\u003c/code\u003e with data from the guest token.\u003c/li\u003e\n\u003cli\u003eThe request reaches \u003ccode\u003e/api/command/index.js\u003c/code\u003e, which handles requests to \u003ccode\u003e/api/getTagValue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe authorization check in \u003ccode\u003e/api/command/index.js\u003c/code\u003e calls \u003ccode\u003eisAuthorisedByScriptName()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eserver/runtime/scripts/index.js\u003c/code\u003e checks if the referenced script exists; if the script does not exist, \u003ccode\u003eisAuthorisedByScriptName()\u003c/code\u003e returns \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe authorization check is bypassed, and the attacker retrieves arbitrary tag values by ID.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to retrieve arbitrary tag values managed by the FUXA server. This could lead to the disclosure of sensitive information, depending on the nature of the data stored in the tags. The vulnerability affects FUXA server version 1.3.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/api/getTagValue\u003c/code\u003e endpoint without valid authentication headers, using the Sigma rule \u003ccode\u003eDetect Unauthenticated FUXA Tag Value Access\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/api/getTagValue\u003c/code\u003e with non-existent \u003ccode\u003esourceScriptName\u003c/code\u003e, using the Sigma rule \u003ccode\u003eDetect FUXA Tag Value Access with Missing Script\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade FUXA server to a patched version that addresses CVE-2026-43946.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:44:19Z","date_published":"2026-05-26T23:44:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-tag-disclosure/","summary":"FUXA server 1.3.0 has an unauthenticated arbitrary tag value disclosure vulnerability (CVE-2026-43946); an authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.","title":"FUXA Server Unauthenticated Tag Value Disclosure (CVE-2026-43946)","url":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-tag-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Fuxa-Server (= 1.3.0)","version":"https://jsonfeed.org/version/1.1"}