CVE-2026-44668: CWE-306: Missing Authentication for Critical Function in factionsecurity faction
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.
AI Analysis
Technical Summary
The vulnerability CVE-2026-44668 in factionsecurity's faction product before version 1.8.3 is due to missing authentication checks in the AccessControlInterceptor and certain BoilerPlateConfig action methods. The AccessControlInterceptor unconditionally calls invocation.invoke() without validating the session, and four BoilerPlateConfig methods lack local session verification. This flaw enables unauthenticated attackers to perform unauthorized read, overwrite, deactivation, and permanent deletion of boilerplate templates within the system. The issue is categorized under CWE-306 (Missing Authentication for Critical Function) and has a critical CVSS 3.1 score of 9.8. The vulnerability is addressed in faction version 1.8.3.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to fully compromise boilerplate templates by reading, overwriting, deactivating, or permanently deleting them. This can lead to significant integrity and availability impacts on the system's template management functionality. The CVSS score of 9.8 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in faction version 1.8.3. Users should upgrade to version 1.8.3 or later to remediate this issue. Patch status is not explicitly stated beyond this fix version, so verifying with the vendor advisory is recommended for the latest remediation guidance.
CVE-2026-44668: CWE-306: Missing Authentication for Critical Function in factionsecurity faction
Description
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-44668 in factionsecurity's faction product before version 1.8.3 is due to missing authentication checks in the AccessControlInterceptor and certain BoilerPlateConfig action methods. The AccessControlInterceptor unconditionally calls invocation.invoke() without validating the session, and four BoilerPlateConfig methods lack local session verification. This flaw enables unauthenticated attackers to perform unauthorized read, overwrite, deactivation, and permanent deletion of boilerplate templates within the system. The issue is categorized under CWE-306 (Missing Authentication for Critical Function) and has a critical CVSS 3.1 score of 9.8. The vulnerability is addressed in faction version 1.8.3.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to fully compromise boilerplate templates by reading, overwriting, deactivating, or permanently deleting them. This can lead to significant integrity and availability impacts on the system's template management functionality. The CVSS score of 9.8 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in faction version 1.8.3. Users should upgrade to version 1.8.3 or later to remediate this issue. Patch status is not explicitly stated beyond this fix version, so verifying with the vendor advisory is recommended for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T16:20:08.659Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15e037891d628fdc67d8bc
Added to database: 5/26/2026, 6:02:31 PM
Last enriched: 5/26/2026, 6:32:16 PM
Last updated: 5/26/2026, 10:22:51 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.