CVE 8.7 HIGH

Inadequate access control vulnerability in Fullstep_CVE-2026-5749

April 22, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.

AI Analysis

Inadequate access control vulnerability in the registration process, allowing unauthenticated users to obtain a valid JWT token and interact with authenticated API resources.

Basic Information

ID CVE-2026-5749

Source INCIBE

Published Apr 22, 2026 at 13:23

Modified Apr 22, 2026 at 14:06

Affected Product

Vendor Fullstep

Product Fullstep

Version 5

Affected Versions Fullstep Fullstep 5

CWE Classification

CWE-306

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Fullstep

Product Fullstep

Version 5

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep

{
    "lastseen": "",
    "description": "Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.",
    "published": "2026-04-22T13:23:37.971Z",
    "modified": "2026-04-22T14:06:57.793Z",
    "type": "cve",
    "title": "Inadequate access control vulnerability in Fullstep",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep",
    "id": "CVE-2026-5749",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "Fullstep Fullstep 5",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Fullstep",
    "version": "5",
    "vendor": "Fullstep",
    "ai_description": "Inadequate access control vulnerability in the registration process, allowing unauthenticated users to obtain a valid JWT token and interact with authenticated API resources.",
    "ai_severity": "High",
    "ai_vendor": "Fullstep",
    "ai_product": "Fullstep",
    "ai_version": "5",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply