Multiple vulnerabilities in Fullstep
Fullstep, version 5.
INCIBE has coordinated the disclosure of two critical-severity vulnerabilities affecting the registration process of Fullstep, a business consulting firm. The vulnerabilities were discovered by Alejandro Rivera León.
The following identifiers, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type have been assigned to each vulnerability:
- CVE-2026-5749: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-284
- CVE-2026-5750: CVSS v4.0: 7.6 | CVSS AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-639
The vulnerabilities have been fixed by the Fullstep team in version 5.30.07, which has been available in production since January 29, 2026; therefore, they currently pose no risk to the environment.
- CVE-2026-5749: inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.
- CVE-2026-5750: an insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:
- '/api/suppliers/v1/suppliers/<ID>/false' to list user information.
'/#/supplier-registration/supplier-registration/<ID>/2' to update your user information (personal details, documents, etc.).
Successful exploitation of this vulnerability could allow an authenticated user to compromise the confidentiality and integrity of the affected resource.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-5749 | Alta | No | Fullstep |
| CVE-2026-5750 | Alta | No | Fullstep |
