PRP: FUXA CVE-2026-25938 Unauthenticated Remote Code Execution via Node-RED Integration

[wannabemrrobot]

• Identifier of the vulnerability: CVE-2026-25938
• Affected software: FUXA (https://github.com/frangoteam/FUXA) - SCADA/HMI/IoT platform for industrial automation
• Type of vulnerability: RCE (Unauthenticated Remote Code Execution)
• CVSS Score: 9.5 Critical (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
• Impact: An unauthenticated remote attacker can send a specially crafted request to the /nodered/flows endpoint to bypass authentication checks, granting administrative access to the Node-RED deployment API. By submitting a malicious flow configuration, the attacker executes arbitrary code in the context of the FUXA service. This affects deployments with the Node-RED plugin enabled, including those with secureEnabled set to true. Depending on deployment, this may lead to full system compromise and could further expose connected ICS/SCADA environments.
• Patched version: 1.2.11
• Affected versions: >= 1.2.8, < 1.2.11
• Language you would use for writing the plugin: Templated (textproto) or Java
• Resources:
  • GHSA-v4p5-w6r3-2x4f
  • https://nvd.nist.gov/vuln/detail/CVE-2026-25938
  • frangoteam/FUXA@5e7679b
  • https://github.com/frangoteam/FUXA/releases/tag/v1.2.11

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team