Skip to main content

HAXcms CVE-2026-46395

| EUVDEUVD-2026-34886 CRITICAL
Information Exposure (CWE-200)
2026-05-19 https://github.com/haxtheweb/issues GHSA-6c8g-9hfh-pq5h
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 05, 2026 - 19:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 05, 2026 - 19:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 19:22 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
May 19, 2026 - 15:30 vuln.today
Analysis Generated
May 19, 2026 - 15:30 vuln.today

DescriptionGitHub Advisory

Summary

The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

Details

Bug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.

Bug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.

Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of privateKey+salt. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.

The /system/api/connectionSettings endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.

The PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.

PoC

  1. GET request to /system/api/connectionSettings endpoint and fetch the token.
  2. Extract the private key from the fetched token. The hmacBase64() function produces 32 bytes with HMAC-SHA256 with hardcoded key "0" and the rest of the bytes are privateKey+salt (plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key).
  3. Since JWT's are signed with privateKey+salt, use this stolen private key to forge a JWT for admin using JWT.sign(payload, this.privateKey+this.salt). NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)}
  4. The same key can also be used to create other tokens (user_token, base_token, form_token, etc).
  5. Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.

Impact

An unauthenticated attacker can perform the complete attack chain with a single HTTP request:

  1. Extract private key: GET "/system/api/connectionSettings", base64-decode any token, discard first 32 bytes.
  2. Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt.
  3. Forge all request tokens: compute valid user_token, site_token for any API call.
  4. Full admin access: create/modify/delete sites, upload files, modify content.

This works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.

AnalysisAI

Private key disclosure in HAXcms Node.js backend (@haxtheweb/haxcms-nodejs <= 25.0.0) lets unauthenticated remote attackers extract the master JWT signing secret via a single GET to /system/api/connectionSettings and forge admin-level JWTs for complete site takeover. The broken hmacBase64() function appends the raw privateKey+salt to its output, exposing it through any token the server emits. Publicly available exploit code exists in the GHSA advisory PoC, and the CVSS 4.0 score of 9.3 reflects trivial network exploitation with no privileges or user interaction.

Technical ContextAI

HAXcms is a headless CMS distributed as the @haxtheweb/haxcms-nodejs npm package with a parallel PHP implementation. The Node.js backend's hmacBase64() helper (around lines 2160-2163) contains two compounding cryptographic defects: it calls HMAC-SHA256 with the literal string '0' instead of the supplied key argument, and then concatenates the real key material (this.privateKey + this.salt) onto the HMAC output before base64-encoding the buffer as a token. Because JWTs issued by the server are signed with privateKey+salt, recovering that secret allows forging arbitrary signed tokens. The defect is mapped to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor); notably, the PHP backend at HAXCMS.php:1619-1631 implements the same routine correctly and is not affected, which is why broken Node.js tokens are 139+ characters versus the PHP version's 44 characters - a useful fingerprint for triage.

RemediationAI

Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs to 26.0.0 or later (npm install @haxtheweb/haxcms-nodejs@^26.0.0), per GHSA-6c8g-9hfh-pq5h. Because any token the server has ever emitted leaks the signing secret, after patching operators must rotate this.privateKey and this.salt and invalidate all previously issued JWTs and request tokens (user_token, base_token, site_token, form_token) - patching alone leaves the old secret compromised. Where immediate upgrade is not possible, restrict network access to /system/api/connectionSettings via reverse-proxy ACLs or WAF rules so only trusted admin networks can reach it; this is a meaningful workaround but may break legitimate frontend bootstrapping that relies on the endpoint, and any other endpoint that returns a hmacBase64()-produced token will continue to leak the key, so block-listing one path is not a complete fix. As a stopgap consider migrating to the PHP backend, which implements the routine correctly. Audit site content, user lists, and uploaded files for unauthorized changes since the vulnerable version was deployed.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-46395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy