PatchSiren cyber security CVE debrief
CVE-2026-5749 Fullstep CVE debrief
## Summary CVE-2026-5749 is a HIGH severity (CVSS 4.0: 8.7) authentication bypass vulnerability in Fullstep V5. The registration process fails to enforce proper access controls, allowing unauthenticated attackers to obtain valid JWT tokens and subsequently access authenticated API resources. The vulnerability was published on 2026-04-22 and last modified on 2026-05-19. ## Technical Details The root cause is **CWE-306: Missing Authentication for Critical Function** in the registration flow. An unauthenticated attacker can exploit this to: 1. Complete the registration process without proper authentication checks 2. Receive a valid JWT token from the system 3. Use this token to interact with API endpoints requiring authentication The CVSS 4.0 vector (`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N`) indicates: - **Attack Vector**: Network (exploitable remotely) - **Attack Complexity**: Low - **Privileges Required**: None - **User Interaction**: None - **Confidentiality Impact**: High (to the vulnerable component) - **Integrity/Availability Impact**: None Notably, the vulnerability status in NVD is marked as **
- Vendor
- Fullstep
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-22
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-04-22
- Advisory updated
- 2026-05-19
Who should care
Organizations using Fullstep V5 for business process management; security teams responsible for API authentication and access control; developers implementing JWT-based authentication flows
Technical summary
The Fullstep V5 registration endpoint lacks proper authentication controls (CWE-306), enabling unauthenticated users to complete registration and obtain valid JWT tokens. These tokens grant access to authenticated API resources, resulting in HIGH confidentiality impact. The vulnerability is remotely exploitable with low complexity and no required privileges or user interaction.
Defensive priority
HIGH
Recommended defensive actions
- Review and harden registration endpoint authentication controls to ensure critical functions require proper authentication before issuing JWT tokens
- Implement mandatory authentication checks before any token issuance in user registration flows
- Audit existing JWT tokens for unauthorized issuance and revoke suspicious tokens
- Apply principle of least privilege to API endpoints accessed via registration-issued tokens
- Monitor for anomalous registration patterns and unauthorized API access attempts
- Contact Fullstep vendor for official patch information given uncertain vendor attribution
Evidence notes
Primary source is INCIBE-CERT (Spanish National Cybersecurity Institute). Vendor attribution is marked as 'Unknown Vendor' with low confidence and flagged for review. The reference domain 'Incibe' was identified as a candidate vendor source.
Official resources
-
CVE-2026-5749 CVE record
CVE.org
-
CVE-2026-5749 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-04-22