Auth bypass in Fullstep

CVE-2026-5749

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerabilit…

Vulnerability class: Broken Authentication

EPSS: 0.001 (26.3th percentile) — read the EPSS interpretation.

Affected products

Fullstep — versions 5, 5.30.07

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

cve-coordination@incibe.es (patch)