CVE-2026-46391
Authorization Bypass in HAX CMS Open-APIs
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | open_apis | to 26.0.0 (exc) |
| haxtheweb | open_apis | 26.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46391 is a high-severity vulnerability in the npm package @haxtheweb/open-apis affecting versions greater than 9.0.1 and prior to 26.0.0.
The issue is a Server-Side Request Forgery (SSRF) caused by improper hostname validation in multiple functions that use substring-only matching to decide where to send basic authorization credentials.
An attacker can exploit this by appending matched substrings to attacker-controlled endpoints, allowing them to capture authentication details.
How can this vulnerability impact me? :
This vulnerability can lead to the exfiltration of internal data, including secrets and authentication credentials.
Attackers can steal these credentials without requiring any privileges, user interaction, or complex attacks.
Stolen credentials could grant unauthorized access to unreleased LMS content or other sensitive internal resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Server-Side Request Forgery (SSRF) due to improper hostname validation that allows attackers to append matched substrings to attacker-controlled endpoints and capture authentication credentials.
To detect exploitation attempts on your network or system, monitor outgoing requests from the affected @haxtheweb/open-apis package versions (greater than 9.0.1 and prior to 26.0.0) for unusual or unexpected external endpoints, especially those that appear to be attacker-controlled domains.
You can use network monitoring tools or commands such as:
- tcpdump or Wireshark to capture and analyze outgoing HTTP requests for suspicious hostnames.
- grep or similar tools to search application logs for unexpected external URLs or authorization headers being sent.
- Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'Authorization'
- Example log search command: grep -r 'http' /path/to/logs | grep -E 'attacker-controlled-domain|suspicious-hostname'
These commands help identify if the vulnerable functions are sending authorization headers to unauthorized or attacker-controlled endpoints.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the @haxtheweb/open-apis package to version 26.0.0 or later, where the vulnerability has been fixed.
Until the upgrade can be applied, consider the following immediate actions:
- Restrict outbound network traffic from the affected system to only trusted domains to prevent exfiltration of credentials to attacker-controlled endpoints.
- Monitor logs and network traffic for suspicious requests as described in the detection section.
- Review and limit the use of basic authorization credentials within the application where possible.
Applying the official patch by upgrading to version 26.0.0 is the most effective and recommended mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to steal authentication credentials and exfiltrate internal data, including secrets, to attacker-controlled domains.
Such unauthorized access and data exfiltration could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized disclosure.
Therefore, exploitation of this vulnerability may result in non-compliance with these common standards and regulations due to compromised confidentiality and potential exposure of protected data.