CVE-2026-46391
Deferred Deferred - Pending Action
Authorization Bypass in HAX CMS Open-APIs

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-46391
EUVD
EUVD-2026-34882
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
haxtheweb open_apis to 26.0.0 (exc)
haxtheweb open_apis 26.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46391 is a high-severity vulnerability in the npm package @haxtheweb/open-apis affecting versions greater than 9.0.1 and prior to 26.0.0.

The issue is a Server-Side Request Forgery (SSRF) caused by improper hostname validation in multiple functions that use substring-only matching to decide where to send basic authorization credentials.

An attacker can exploit this by appending matched substrings to attacker-controlled endpoints, allowing them to capture authentication details.

Impact Analysis

This vulnerability can lead to the exfiltration of internal data, including secrets and authentication credentials.

Attackers can steal these credentials without requiring any privileges, user interaction, or complex attacks.

Stolen credentials could grant unauthorized access to unreleased LMS content or other sensitive internal resources.

Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) due to improper hostname validation that allows attackers to append matched substrings to attacker-controlled endpoints and capture authentication credentials.

To detect exploitation attempts on your network or system, monitor outgoing requests from the affected @haxtheweb/open-apis package versions (greater than 9.0.1 and prior to 26.0.0) for unusual or unexpected external endpoints, especially those that appear to be attacker-controlled domains.

You can use network monitoring tools or commands such as:

  • tcpdump or Wireshark to capture and analyze outgoing HTTP requests for suspicious hostnames.
  • grep or similar tools to search application logs for unexpected external URLs or authorization headers being sent.
  • Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'Authorization'
  • Example log search command: grep -r 'http' /path/to/logs | grep -E 'attacker-controlled-domain|suspicious-hostname'

These commands help identify if the vulnerable functions are sending authorization headers to unauthorized or attacker-controlled endpoints.

Mitigation Strategies

The primary mitigation step is to upgrade the @haxtheweb/open-apis package to version 26.0.0 or later, where the vulnerability has been fixed.

Until the upgrade can be applied, consider the following immediate actions:

  • Restrict outbound network traffic from the affected system to only trusted domains to prevent exfiltration of credentials to attacker-controlled endpoints.
  • Monitor logs and network traffic for suspicious requests as described in the detection section.
  • Review and limit the use of basic authorization credentials within the application where possible.

Applying the official patch by upgrading to version 26.0.0 is the most effective and recommended mitigation.

Compliance Impact

This vulnerability allows attackers to steal authentication credentials and exfiltrate internal data, including secrets, to attacker-controlled domains.

Such unauthorized access and data exfiltration could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized disclosure.

Therefore, exploitation of this vulnerability may result in non-compliance with these common standards and regulations due to compromised confidentiality and potential exposure of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart