CVE-2026-44668 Overview
CVE-2026-44668 is a critical missing authentication vulnerability [CWE-306] in FACTION, an open-source penetration testing report generation and collaboration framework. Versions prior to 1.8.3 fail to enforce session validation in the AccessControlInterceptor class, which is the authentication gate for all Struts2 actions. The interceptor calls invocation.invoke() unconditionally, allowing requests to bypass authentication checks. Four action methods in BoilerPlateConfig also omit local session validation. Unauthenticated remote attackers can read, overwrite, deactivate, and permanently delete any boilerplate template stored in the system. The vulnerability is fixed in FACTION version 1.8.3.
Critical Impact
Unauthenticated attackers can access and destroy boilerplate templates over the network without any user interaction, compromising confidentiality, integrity, and availability of FACTION report data.
Affected Products
- FACTION PenTesting Report Generation and Collaboration Framework
- All versions prior to 1.8.3
- Deployments exposing the Struts2 BoilerPlateConfig action endpoints
Discovery Timeline
- 2026-05-26 - CVE-2026-44668 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44668
Vulnerability Analysis
FACTION uses the Apache Struts2 framework and routes every action through an AccessControlInterceptor. The interceptor is intended to verify that the requester holds a valid authenticated session before forwarding execution to the target action. In affected versions, the interceptor calls invocation.invoke() directly without performing this session check. Every Struts2 action becomes reachable without credentials when the interceptor is the sole authentication gate.
Four action methods inside the BoilerPlateConfig controller compound the issue. These methods handle reading, updating, deactivating, and deleting boilerplate report templates. None of them perform a local session validation as a defense-in-depth measure. Attackers can chain requests to enumerate templates, modify their content, mark them inactive, or remove them permanently. Boilerplate templates often contain client-specific report scaffolding and reusable findings, so tampering directly impacts the integrity of penetration test deliverables.
Root Cause
The root cause is missing authentication for a critical function [CWE-306]. The AccessControlInterceptor lacks a conditional gate around invocation.invoke(), and the BoilerPlateConfig action methods do not re-check the session locally. The result is a complete absence of authentication on four exposed endpoints.
Attack Vector
Exploitation requires only network access to the FACTION web application. An attacker sends crafted HTTP requests directly to the vulnerable BoilerPlateConfig action endpoints without supplying authentication cookies, tokens, or credentials. No user interaction is required, and the attack complexity is low. Refer to the GitHub Security Advisory GHSA-7cv6-h22r-2qf2 for the upstream technical write-up.
Detection Methods for CVE-2026-44668
Indicators of Compromise
- Unauthenticated HTTP requests reaching BoilerPlateConfig action endpoints in FACTION access logs.
- Unexpected modification, deactivation, or deletion of boilerplate templates outside of authorized administrative sessions.
- Boilerplate template records missing from the database without corresponding audit entries from authenticated users.
Detection Strategies
- Inspect application access logs for requests to FACTION Struts2 actions that lack a valid session cookie or authorization header.
- Correlate template create, update, and delete events with the source IP address and authenticated user identifier to identify orphaned actions.
- Run the FACTION version banner against an inventory check to flag any instance reporting a version earlier than 1.8.3.
Monitoring Recommendations
- Forward FACTION web server and application logs to a centralized logging or SIEM platform and alert on anonymous access to administrative actions.
- Monitor outbound traffic from FACTION hosts for exfiltration of template content following anomalous read activity.
- Track database write volume on the boilerplate template tables to detect bulk deletion or mass-overwrite patterns.
How to Mitigate CVE-2026-44668
Immediate Actions Required
- Upgrade FACTION to version 1.8.3 or later using the FACTION 1.8.3 release.
- Restrict network access to the FACTION application to trusted operator IP ranges or place it behind an authenticated reverse proxy or VPN.
- Audit boilerplate templates for unauthorized changes or deletions and restore from backup where tampering is identified.
Patch Information
The maintainers fixed the vulnerability in FACTION 1.8.3. The release adds session validation in AccessControlInterceptor and adds local session checks to the four affected BoilerPlateConfig action methods. Patch details are available in the GitHub Security Advisory GHSA-7cv6-h22r-2qf2 and the corresponding release notes.
Workarounds
- Block external access to the FACTION application at the network perimeter until the upgrade is complete.
- Enforce authentication at an upstream reverse proxy so that unauthenticated requests cannot reach the Struts2 action endpoints.
- Take temporary backups of the boilerplate template store so deleted or overwritten records can be recovered if exploitation is detected.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
