Executive Summary

CVE-2026-49952 is an authentication bypass vulnerability in Discuz! X5.0 versions released between March 20, 2026, and May 1, 2026. It arises because a cryptographic key (UC_KEY) is shared between unrelated components, specifically the UCenter integration and the database backup API exposed by dbbak.php. This shared key allows attackers to reuse tokens across different contexts, breaking cryptographic isolation.

An unauthenticated remote attacker can inject a crafted payload through the username parameter during login. This payload is encrypted using the shared key, producing a legitimately signed token that bypasses authorization checks for database export and import operations. Additionally, the attacker can trigger a race condition to impersonate arbitrary users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to gain unauthorized access to critical database backup and restore functions. Attackers can export and import the database without proper authorization, potentially leading to data theft, data manipulation, or service disruption.

Moreover, by exploiting a race condition, attackers can impersonate arbitrary users, which may lead to privilege escalation or further unauthorized actions within the system.

When combined with other vulnerabilities, such as those enabling remote code execution, this flaw can lead to full system compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized access attempts to the database backup and restore functionality exposed by dbbak.php in Discuz!X5.0 versions released between 20260320 and 20260501.

Specifically, detection involves looking for unusual login attempts where the username parameter contains crafted payloads that exploit the encryption oracle in logging_ctl::logging_more().

Network or system administrators can check web server logs for requests to /api/db/dbbak.php and login requests with suspicious or malformed username parameters.

While no explicit commands are provided in the resources, administrators can use tools like grep or log analysis utilities to search for such patterns, for example:

• grep 'dbbak.php' /var/log/httpd/access_log
• grep 'username=' /var/log/httpd/access_log | grep -E 'payload_pattern'

Additionally, monitoring for unexpected database export or import operations can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Discuz!X5.0 to version 20260510 or later, where the vulnerability has been patched.

Until the upgrade can be applied, restrict access to the /api/db/dbbak.php endpoint to trusted users or internal networks only.

Additionally, review and change the global authkey setting in the /config/config_ucenter.php file to ensure cryptographic isolation between components.

Monitoring and logging access to database backup and restore functions should be enhanced to detect any suspicious activity.

Useful 0 Not Useful 0