Auth bypass in Fullstep

CVE-2026-5750

An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the applic…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (15.8th percentile) — read the EPSS interpretation.

Affected products

Fullstep — versions 5, 5.30.07

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep (patch)