Platform
other
Component
fullstep
Fixed in
5.0.1
CVE-2026-5749 describes an inadequate access control vulnerability within the registration process of Fullstep V5. This flaw allows unauthenticated users to potentially obtain a valid JSON Web Token (JWT), granting them unauthorized access to authenticated API resources. The vulnerability affects versions 5.0.0 through 5.30.07 and requires prompt attention to mitigate potential data exposure.
Successful exploitation of CVE-2026-5749 could lead to a significant compromise of data confidentiality. An attacker, having acquired a valid JWT, could interact with authenticated API resources as if they were a legitimate user. This could involve accessing sensitive data, modifying configurations, or performing other actions that would normally be restricted. The potential blast radius depends on the sensitivity of the API resources and the privileges associated with the acquired JWT. The ability to obtain a JWT without authentication bypasses standard security controls, making this a high-risk vulnerability.
CVE-2026-5749 was publicly disclosed on 2026-04-22. There is no indication of active exploitation or a KEV listing at this time. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be relatively easy to exploit once a POC is developed. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5749 is to upgrade to a patched version of Fullstep. Unfortunately, the specific patched version is not provided. Until a patch is available, consider implementing temporary workarounds. These may include stricter API authentication policies, rate limiting on registration endpoints, and enhanced monitoring for suspicious JWT usage. Review and strengthen access control mechanisms within the API to limit the impact of a compromised JWT. After upgrading, confirm the fix by attempting to register without authentication and verifying that a JWT is not generated.
Update to the latest available version of Fullstep to mitigate this vulnerability. Review the official Fullstep documentation for specific upgrade instructions and to fully understand the impact on your environment. Implement stricter access controls to protect API resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5749 is a vulnerability in Fullstep V5 allowing unauthenticated users to obtain valid JWT tokens, potentially compromising API resource confidentiality.
If you are running Fullstep V5 versions 5.0.0 through 5.30.07, you are potentially affected by this vulnerability. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of Fullstep. Until a patch is available, implement temporary workarounds like stricter API authentication and monitoring.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the Fullstep security advisories page for updates and official guidance regarding CVE-2026-5749.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.