CVE-2026-47718: FUXA provides guest and invalid-token access to protected read APIs in secure mode

May 28, 2026

When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs.

References

github.com/advisories/GHSA-r9g5-7q8j-958c
github.com/frangoteam/FUXA/releases/tag/v1.3.1
github.com/frangoteam/FUXA/security/advisories/GHSA-r9g5-7q8j-958c
nvd.nist.gov/vuln/detail/CVE-2026-47718

Code Behaviors & Features

Detect and mitigate CVE-2026-47718 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →