FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
- Severity:
- High
Description
An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.2.9
- Patched version(s): 1.2.10
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- FUXA Unauthenticated Remote Code Execution in Node-RED Integration - CVE-2026-25938
- FUXA allows Remote Code Execution (RCE) via the project import functionality. - CVE-2025-69983
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026