CVE-2026-5749
Description
Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-5749? +
How do I check if I'm vulnerable to CVE-2026-5749? +
Related Vulnerabilities
An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to …
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR …
A Missing Authentication for Critical Function vulnerability in the GRUB configuration used B&R APROL <4.4-01 may allow an unauthenticated physical …
Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that …
A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 …
A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the …