CVE-2026-46401
Improper Session Termination in HAX CMS
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | hax_cms | 26.0.0 |
| haxtheweb | hax_cms | to 26.0.0 (exc) |
| haxtheweb | hax_cms | 25.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in HAX CMS versions prior to 26.0.0 is an improper session termination issue where authentication tokens remain valid even after a user logs out.
This happens because the logout function only clears the client-side state but does not revoke the tokens on the server side.
As a result, attackers who obtain valid tokens can reuse them to maintain persistent unauthorized access to the CMS, bypassing the intended session termination.
This allows attackers to access CMS metadata and administrative functions without proper authorization.
How can this vulnerability impact me? :
This vulnerability can allow attackers who have obtained valid authentication tokens to maintain persistent unauthorized access to the CMS.
They can bypass logout mechanisms and continue accessing sensitive CMS metadata and administrative functions.
This can lead to exposure of site structure, unauthorized administrative actions, and potential compromise of the managed microsite universe.
The attack requires valid credentials and token capture but has low complexity and can be performed remotely over the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for reuse of authentication tokens after a user has logged out. Since tokens remain valid on the server side even after logout, an attacker could replay these tokens to access CMS functionality.
To detect this on your system or network, you can look for repeated use of the same authentication token in requests following a logout event from the same user session.
Commands or methods to help detect this include:
- Capture HTTP traffic to the HAXCMS endpoints using tools like tcpdump or Wireshark and analyze for authentication tokens being reused after logout.
- Use curl or similar HTTP clients to manually test token reuse by capturing a token, logging out, then attempting to reuse the token to access protected endpoints.
- Check server logs for multiple requests using the same token after a logout event.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade HAXCMS to version 26.0.0 or later, where this session termination vulnerability has been fixed.
Until the upgrade can be applied, consider implementing server-side token revocation on logout to ensure tokens are invalidated immediately.
Additionally, monitor for suspicious token reuse and restrict access to the CMS to trusted networks or users to reduce the risk of token theft and replay.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to maintain unauthorized access to CMS metadata and administrative functions by reusing authentication tokens after logout. This persistent unauthorized access could lead to exposure of sensitive data or administrative controls.
Such unauthorized access and potential data exposure may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require proper session management and protection of sensitive information.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.