FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
GHSA-fwcm-rqvw-j3p7 · CVE-2026-43946
Published · Modified
Description
Summary
An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.
Details
The issue is caused by the combination of these code paths:
server/api/apikeys/verify-api-or-token.js:45sends requests withoutx-api-keytoauthJwt.verifyToken(req, res, next).server/api/jwt-helper.js:46-64creates a signed guest token when nox-access-tokenis provided:if (!token) { token = getGuestToken(); }
and then populatesreq.userId/req.userGroupsfrom that guest token.server/api/command/index.js:76-105exposes/api/getTagValue.server/runtime/scripts/index.js:106-111returnstruewhen the referenced script does not exist:if (!script) { return true; }
As a result, an unauthenticated request reaches /api/getTagValue as guest, and the authorization check is bypassed because isAuthorisedByScriptName() returns true when sourceScriptName is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.
PoC
Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.
References
- WEB https://github.com/frangoteam/FUXA/security/advisories/GHSA-fwcm-rqvw-j3p7
- WEB https://github.com/frangoteam/FUXA/pull/2260
- WEB https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4
- PACKAGE https://github.com/frangoteam/FUXA
- WEB https://github.com/frangoteam/FUXA/releases/tag/v1.3.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes