Listen to this Post
Intro: How CVE-2026-47718 Works
The vulnerability CVE-2026-47718 is an authentication bypass in FUXA – a web‑based SCADA/HMI platform – which allows an unauthenticated attacker to read sensitive project data even when the platform is explicitly configured to run in secure mode (secureEnabled=true).
At the heart of the issue is the `verifyToken()` function inside server/api/jwt-helper.js. When a request arrives without any JWT token, `verifyToken()` does not reject the request, but instead automatically generates a valid guest JWT token and returns a guest context. Similarly, if the request supplies an invalid x-access-token, the function also silently converts the invalid token state into a guest context without any authentication failure. As a result, every unauthenticated or invalid‑token request is treated as a guest request.
Once the guest context is established, the request proceeds to the API handlers. The code paths in server/api/projects/index.js, `server/api/alarms/index.js` and `server/api/scheduler/index.js` all accept this guest context and subsequently return the full project data, alarms and scheduler information – exactly the same data a properly authenticated user would see. In other words, the middleware chain does not contain a proper authentication gate for these read endpoints, and the guest context bypasses any access control.
An attacker can therefore send a simple HTTP GET request to e.g. `/api/project` without any token, and the server will respond with a `200 OK` containing the complete project configuration, including server‑side scripts, device connection information, HMI views and alarm definitions. The same behaviour can be triggered by providing an explicitly invalid token. This exposure gives an attacker a detailed map of the industrial control system, which can be used as a foundation for further targeted attacks.
DailyCVE Form:
Platform: `FUXA (SCADA/HMI)`
Version: `1.3.0-2773`
Vulnerability: `Auth bypass / IDOR`
Severity: `Moderate`
Date: `2026-05-26`
Prediction: `2026-06-15`
What Undercode Say:
Unauthenticated project data disclosure curl -s http://target:1881/api/project Unauthenticated alarms disclosure curl -s http://target:1881/api/alarms Unauthenticated scheduler information disclosure curl -s http://target:1881/api/scheduler?id=test The same requests with an explicitly invalid token also succeed curl -s -H "x-access-token: invalid_token" http://target:1881/api/project
How Exploit:
1. Identify a FUXA instance with `secureEnabled=true`.
- Send a GET request to `/api/project` without any authentication headers.
- Observe the server returns `200 OK` containing the full project data (scripts, devices, HMI views, alarm definitions).
- Repeat the same steps for `/api/alarms` and `/api/scheduler` to obtain additional sensitive information.
Protection:
- Upgrade FUXA to version 1.3.1 or later, where the guest‑to‑authenticated path is properly fixed.
- After upgrading, verify that unauthenticated requests to the affected endpoints now return
401 Unauthorized. - If immediate patching is not possible, apply a web application firewall rule to block anonymous requests to
/api/project, `/api/alarms` and/api/scheduler.
Impact:
- Exposure of the entire project configuration (scripts, devices, HMI views, alarm definitions).
- Leakage of internal automation logic and device communication endpoints.
- Full disclosure of all alarms and scheduler tasks.
- Provides an attacker with detailed reconnaissance data that can be used to plan further attacks against the industrial environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

