Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
FUXA uses default JWT secret that can be guessed
GHSA-c8m8-3jcr-6rj5
Summary
FUXA's default secret can be used to fake login credentials, so update to version 1.3.0 or set a custom secret to fix. Anyone with the default secret can impersonate users, so it's essential to address this as soon as possible.
What to do
- Update frangoteam fuxa to version 1.3.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| frangoteam | fuxa | <= 1.2.11 | 1.3.0 |
Original title
FUXA has a hardcoded fallback JWT signing secret
Original description
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured.
If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.
This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
ghsa CVSS3.1
8.1
Vulnerability type
CWE-321
Use of Hard-coded Cryptographic Key
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026