Skip to main content

HAX open-apis EUVDEUVD-2026-34882

| CVE-2026-46391 HIGH
Permissive List of Allowed Inputs (CWE-183)
2026-05-19 https://github.com/haxtheweb/issues GHSA-4fg7-f244-3j49
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 05, 2026 - 19:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 05, 2026 - 19:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 19:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 19, 2026 - 15:32 vuln.today
Analysis Generated
May 19, 2026 - 15:32 vuln.today

DescriptionGitHub Advisory

Summary

Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication.

Details

api/services/website/cacheAddress.js, api/apps/haxcms/lib/JOSHelpers.js, and api/apps/haxcms/convert/elmslnToSite.js use similar logic to check for hard-coded site names. However, the logic only looks for the substring to be included in the user-controlled string, allowing an attacker to craft an API call and extract the credentials intended for the hard-coded domains.

PoC

Making API calls to an affected endpoint will result in credential theft. The attacker-controlled domains in these proofs of concept are cloudflared tunnels, protecting the production credentials from unencrypted exposure.

cacheAddress.js: <img width="3404" height="1656" alt="ssrf_cred_theft" src="https://github.com/user-attachments/assets/0a87cef5-3c4d-450a-8bb7-35123d5f621b" />

elmslnToSite.js: <img width="3409" height="1641" alt="theft2" src="https://github.com/user-attachments/assets/bede82cc-a613-4fc7-bbf6-76166af784f5" />

JOSHelpers.js: <img width="3407" height="1597" alt="theft3" src="https://github.com/user-attachments/assets/4f3f8bee-443e-4b22-9d41-eb9726619d36" />

Impact

This vulnerability allows internal data, including secrets, to be exfiltrated to an attacker-controlled domain. Credentials were confirmed with the maintainer to grant access to unreleased LMS content on subsequent systems; out of scope for PoC.

AnalysisAI

Credential theft via SSRF in HAX open-apis (npm @haxtheweb/open-apis) before version 26.0.0 allows remote unauthenticated attackers to capture HTTP Basic authentication intended for hard-coded trusted domains. The flaw stems from substring-only hostname validation in cacheAddress.js, JOSHelpers.js, and elmslnToSite.js, which lets an attacker craft a URL containing the trusted substring but pointing to attacker infrastructure. A proof-of-concept exists and the maintainer confirmed the leaked credentials grant access to unreleased LMS content on downstream systems, though no public exploitation has been observed.

Technical ContextAI

The affected component is @haxtheweb/open-apis, a Node.js backend package that powers HAX/HAXcms - an open-source content authoring and learning management ecosystem. Three server-side functions attempt to gate HTTP Basic credential injection on a list of hard-coded hostnames, but use naive String.includes()-style substring matching rather than proper URL parsing and exact hostname comparison. This is CWE-183 (Permissive List of Allowed Inputs): the allowlist check passes for any URL whose hostname or path merely contains the trusted token, so a host like 'trusted-domain.attacker.tld' or a path like '/trusted-domain' satisfies the validator and the server-side fetch is sent - along with the Authorization header - to an attacker-controlled origin. The result is a textbook SSRF-meets-credential-leak primitive.

RemediationAI

Apply the vendor-released patch by upgrading @haxtheweb/open-apis to version 26.0.0 or later (npm install @haxtheweb/open-apis@^26.0.0 and redeploy), per GHSA-4fg7-f244-3j49 at https://github.com/haxtheweb/issues/security/advisories/GHSA-4fg7-f244-3j49. If immediate upgrade is not possible, patch the three call sites (api/services/website/cacheAddress.js, api/apps/haxcms/lib/JOSHelpers.js, api/apps/haxcms/convert/elmslnToSite.js) to parse the URL with the WHATWG URL API and compare the parsed hostname against the allowlist with exact equality or strict suffix matching anchored to a dot, instead of String.includes; as a network-layer compensating control, restrict the open-apis service's egress so it can only reach the explicitly trusted upstream hostnames (egress allowlist / outbound proxy), which prevents credential leakage to arbitrary attacker domains at the cost of having to maintain that allowlist when upstream integrations change. Operators should also rotate any Basic auth credentials that were previously embedded in these code paths, since they must be assumed exposed.

Share

EUVD-2026-34882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy