Executive Summary

CVE-2026-4562 is a security flaw in MacCMS version 2025.1000.4052 affecting the Timming API Endpoint. The vulnerability arises because the API endpoint `api/Timming` allows execution of backend scheduled tasks without any authentication.

Specifically, the backend controller bypasses login checks when requests are made via the API entrance targeting the `Timming/index` path. This means an attacker can send unauthenticated requests to trigger scheduled tasks configured in the system.

The exploit requires that the site allows access to `api.php` and that at least one scheduled task is enabled. No administrator cookie or API token is needed to exploit this flaw.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to trigger backend scheduled tasks without authorization, which can lead to several security and operational impacts.

• Unauthorized execution of scheduled tasks such as cache clearing or static page generation, potentially causing service disruption.
• If scheduled tasks involve data collection or pushing URLs, attackers could cause server-side request forgery (SSRF), external network requests, or mass content injection.
• Sensitive tasks could be abused to disrupt business operations or gain unauthorized access to remote resources.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthenticated requests to the vulnerable API endpoint that trigger scheduled tasks. Specifically, look for GET requests to the path `/api.php/timming/index` with parameters such as `name` (the scheduled task name) and `enforce=1`.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web server logs to identify such suspicious requests.'}, {'type': 'list_item', 'content': 'Example command to detect exploitation attempts via web server logs (assuming Apache logs):'}, {'type': 'list_item', 'content': 'grep "/api.php/timming/index" /var/log/apache2/access.log | grep "enforce=1"'}, {'type': 'list_item', 'content': 'Using curl to test if the endpoint is accessible without authentication:'}, {'type': 'list_item', 'content': 'curl -v "http://<target-host>/api.php/timming/index?name=<task_name>&enforce=1"'}, {'type': 'paragraph', 'content': 'Replace `<target-host>` with your server address and `<task_name>` with the name of an enabled scheduled task (e.g., cache clearing). A successful response indicating task execution confirms the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing the authentication bypass in the backend controller handling the vulnerable API endpoint.

• Remove or fix the bypass in `application/admin/controller/Base.php` that allows unauthenticated access to `api/Timming/index`.
• Implement strong authentication mechanisms such as HMAC signatures, fixed source IP whitelisting, or high-entropy secret keys for accessing the scheduled task API.
• Avoid exposing backend scheduled tasks directly via public APIs; instead, create a dedicated task execution layer with proper access controls.
• Add permission checks for the `enforce=1` parameter to prevent forced execution of tasks by unauthorized users.
• Enable logging of request sources, task names, and execution results for auditing and detection of suspicious activity.

Useful 0 Not Useful 0