CVE-2026-46395
HMAC JWT Forgery in HAX CMS Node.js Backend
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | haxcms-nodejs | to 26.0.0 (exc) |
| haxtheweb | haxcms | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to extract the system’s private signing key and forge admin-level JSON Web Tokens, granting full administrative access without detection.
Such unauthorized access and exposure of sensitive cryptographic keys can lead to breaches of confidentiality, integrity, and availability of data managed by the system.
Consequently, organizations using vulnerable versions of HAXcms Node.js backend may fail to comply with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.
The stealthy nature of the attack, which does not generate login events, further complicates detection and incident response, increasing the risk of non-compliance with security and audit requirements.
Can you explain this vulnerability to me?
CVE-2026-46395 is a critical vulnerability in the HAXcms Node.js backend versions 25.0.0 and earlier. The vulnerability arises from two cryptographic implementation errors in the `hmacBase64()` function. First, the function incorrectly uses the literal string "0" as the HMAC signing key instead of the actual key parameter, causing all instances to generate identical HMACs for the same input. Second, after computing the HMAC, the function appends the system’s private signing key (the concatenation of privateKey and salt) directly to the output before base64 encoding it. This means that any token produced contains the private key in a readable form after decoding.
An unauthenticated attacker can exploit this by sending a single HTTP GET request to the unauthenticated `/system/api/connectionSettings` endpoint, which returns tokens generated by this flawed function. By base64-decoding any token and discarding the first 32 bytes, the attacker can extract the private signing key. With this key, the attacker can forge arbitrary admin-level JSON Web Tokens (JWTs), gaining full administrative access to the system.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to obtain the system’s private signing key and forge admin-level JWTs, granting them full administrative access with a single HTTP request.
- Unauthorized creation, modification, or deletion of content.
- Uploading files or other malicious content.
- Performing any administrative actions without detection, as forged tokens do not generate login events in logs, making the attack stealthy.
Overall, this leads to high confidentiality, integrity, and availability losses for the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an unauthenticated HTTP GET request to the `/system/api/connectionSettings` endpoint of the HAXcms Node.js backend. This endpoint returns tokens that contain the private signing key due to the flawed `hmacBase64()` function.
To detect the vulnerability, you can retrieve one of these tokens and base64-decode it. After decoding, discard the first 32 bytes (the HMAC) and inspect the remaining bytes. If the private key and salt are exposed in the token, the system is vulnerable.
A simple command using curl and base64 decoding on a Unix-like system could be:
- curl -s http://<target-host>/system/api/connectionSettings | grep -oP '"token":"\K[^"]+' | head -1 | base64 -d | tail -c +33
If the output reveals readable private key material (the privateKey + salt), the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the HAXcms Node.js backend package to version 26.0.0 or later, where the vulnerability is fixed.
Until the upgrade can be applied, restrict access to the `/system/api/connectionSettings` endpoint to trusted users or internal networks only, as it is unauthenticated and exposes sensitive tokens.
Additionally, consider invalidating any existing tokens and rotating the private signing keys after applying the fix to prevent misuse of any previously exposed keys.