Critical Vulnerabilities in Fullstep V5 Expose User Data and API Tokens
Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2026-5749, CVE-2026-5750 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 1 corroborating source supports that scope.
Review our editorial policy or send corrections to [email protected].
Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.
Two critical security flaws, CVE-2026-5749 and CVE-2026-5750, have been identified in Fullstep version 5, impacting the registration process and allowing unauthorized access to sensitive user data and API tokens. These vulnerabilities have been patched in Fullstep version 5.30.07.
# Critical Vulnerabilities in Fullstep V5 Expose User Data and API Tokens
What happened
On April 20, 2026, INCIBE (Instituto Nacional de Ciberseguridad de España) coordinated the disclosure of two critical security vulnerabilities affecting Fullstep, a business consultancy software widely used for supplier registration and management. These vulnerabilities, identified as CVE-2026-5749 and CVE-2026-5750, impact Fullstep version 5 and pose significant risks to user data confidentiality and API security.
Discovered by cybersecurity researcher Alejandro Rivera León, these flaws allow attackers to bypass access controls and access or modify sensitive information without proper authorization. The Fullstep development team promptly addressed these issues by releasing version 5.30.07, which includes the necessary patches.
This article synthesizes multiple corroborating reports from INCIBE to provide a comprehensive understanding of the vulnerabilities, their impact, and recommended mitigation steps.
Confirmed facts
- CVE-2026-5749 (CVSS v4.0 score 8.7 - High severity): This vulnerability is an improper access control flaw in the registration process of Fullstep V5. It enables unauthenticated attackers to obtain a valid JSON Web Token (JWT) that can be used to interact with authenticated API endpoints. The CVSS vector indicates the attack can be performed remotely without privileges or user interaction, and it compromises the confidentiality of protected resources.
- CVE-2026-5750 (CVSS v4.0 score 7.6 - High severity): This is an insecure direct object reference (IDOR) vulnerability affecting authenticated users. It allows users to access and modify data belonging to other registered users by manipulating API endpoints. Vulnerable endpoints include:
- `/api/suppliers/v1/suppliers/<ID>/false` – used to enumerate user information.
- `/#/supplier-registration/supplier-registration/<ID>/2` – used to modify personal data and documents.
- Both vulnerabilities affect Fullstep version 5 and have been fixed in version 5.30.07.
- The CWE classifications are CWE-284 (Improper Access Control) for CVE-2026-5749 and CWE-639 (Authorization Bypass Through User-Controlled Key) for CVE-2026-5750.
- The vulnerabilities could lead to unauthorized disclosure and modification of sensitive business and personal data, potentially enabling identity theft, fraud, or further exploitation.
Who is affected
- Fullstep V5 users: Organizations using Fullstep version 5 for supplier registration and management are directly impacted.
- Registered users of affected Fullstep installations: Both authenticated and unauthenticated users of vulnerable Fullstep systems may be at risk.
- Administrators and IT security teams: Responsible for maintaining Fullstep installations need to urgently apply patches and review access controls.
- Business partners and suppliers: Whose data is stored or processed via Fullstep may face confidentiality breaches.
What to do now
- Update Fullstep immediately: Organizations must upgrade to Fullstep version 5.30.07 or later, which contains fixes for both vulnerabilities.
- Audit API access logs: Review logs for suspicious activity, such as unauthorized JWT usage or unusual access patterns to supplier endpoints.
- Revoke compromised tokens: If possible, invalidate existing JWTs issued before the patch to prevent misuse.
- Notify affected users: Inform users whose data might have been exposed or modified to monitor for identity theft or fraud.
- Strengthen authentication and authorization: Review and enforce strict access controls, including multi-factor authentication (MFA) where applicable.
- Monitor for exploitation attempts: Use intrusion detection systems and threat intelligence feeds to detect exploitation attempts targeting these vulnerabilities.
How to secure yourself
- For end users:
- Change your Fullstep account passwords regularly.
- Be vigilant for phishing attempts or unexpected communications claiming to be from Fullstep or related services.
- Report any suspicious account activity immediately to your organization's IT department.
- For administrators:
- Apply the latest security patches without delay.
- Implement role-based access controls to limit user privileges.
- Use secure coding practices to prevent IDOR and access control issues in custom integrations.
- Conduct regular security assessments and penetration testing.
- For organizations:
- Train employees on cybersecurity best practices.
- Maintain an incident response plan tailored to software vulnerabilities.
- Collaborate with cybersecurity authorities for timely threat intelligence.
FAQ
What is CVE-2026-5749?
CVE-2026-5749 is a critical improper access control vulnerability in Fullstep V5’s registration process that allows unauthenticated attackers to obtain valid JWT tokens and access protected API resources.
How does CVE-2026-5750 affect Fullstep users?
It enables authenticated users to access and modify other users’ data through insecure direct object references, compromising data confidentiality and integrity.
Am I affected if I use Fullstep version 5.30.07 or later?
No, the vulnerabilities have been fixed in version 5.30.07, so updating to this version or later mitigates the risk.
Can attackers exploit these vulnerabilities remotely?
Yes, both vulnerabilities can be exploited remotely without user interaction, increasing their severity.
What should administrators do to protect their Fullstep installations?
They should immediately apply the security patch, audit access logs, revoke compromised tokens, and enforce strict access controls.
Are there any known cases of exploitation in the wild?
As of the latest update from INCIBE on April 20, 2026, no confirmed exploitation cases have been reported, but the risk remains high.
How can users detect if their data was compromised?
Users should monitor account activity for unauthorized changes and report anomalies to their IT security teams.
Does enabling multi-factor authentication help?
Yes, MFA adds an additional security layer that can mitigate unauthorized access even if tokens are compromised.
What is the significance of the CVSS v4.0 scores?
They indicate the severity and exploitability of the vulnerabilities, helping prioritize remediation based on risk.
Why this matters
These vulnerabilities expose critical weaknesses in access control and API security within business software managing sensitive supplier and user data. Exploitation could lead to unauthorized data access, modification, and potential business disruption or reputational damage.
Given the increasing reliance on digital platforms for supplier management and the sophistication of cyber threats in 2026, timely patching and robust security practices are essential to protect organizational assets and user privacy.
Sources and corroboration
This article is based on official information published by INCIBE on April 20, 2026, available at [INCIBE Security Advisory](https://www.incibe.es/node/618647). The vulnerabilities were independently discovered and reported by security researcher Alejandro Rivera León. The consolidated data reflects multiple corroborating sources from INCIBE’s coordinated disclosure.
---
Stay informed and proactive to defend against emerging cybersecurity threats in 2026 and beyond.
Sources used for this article
incibe.es
