How is CVE-2026-45090 exploited?

Network reachability (required): The attacker must reach the Dalfox REST API over the network; in the default server-mode configuration there is no network restriction, so any host that can route to the server is a potential source. Authentication (not-required): The default Dalfox server configuration requires no API key, so no credentials are needed to submit a scan request. Victim interaction (not-required): No user action is required; the attacker triggers the crash entirely through a crafted API request without any involvement from a legitimate user. Attack complexity (info): Exploitation is reliable and condition-free given a reachable target: the attacker simply supplies a non-empty data field and a target that reflects at least one parameter, both of which are attacker-controlled inputs.

What is the impact of CVE-2026-45090?

The Dalfox server process crashes immediately on a successful panic, dropping all in-progress scans and making the REST API unreachable until the process is manually restarted. Any queued or running scan jobs at the time of the crash are lost, disrupting automated security pipeline workflows that depend on Dalfox for XSS detection. No confidentiality or integrity impact is present; the attacker gains no read or write access to data, only the ability to halt the service.

Back to search

HIGHCVE-2026-45090Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-45090: Dalfox: Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)

Q: What is CVE-2026-45090?

This is a denial-of-service vulnerability in Dalfox, an open-source XSS scanning tool. When running in server mode, an unauthenticated remote attacker can trigger a Go runtime panic by sending a crafted API request that causes a write to an already-closed results channel inside the ParameterAnalysis worker pipeline. Successful exploitation crashes the entire Dalfox process, making the scanner unavailable. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-45090 patched?

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release lands. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a denial-of-service vulnerability in Dalfox, an open-source XSS scanning tool. When running in server mode, an unauthenticated remote attacker can trigger a Go runtime panic by sending a crafted API request that causes a write to an already-closed results channel inside the ParameterAnalysis worker pipeline. Successful exploitation crashes the entire Dalfox process, making the scanner unavailable. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Dalfox as a tool or base dependency. Any image containing a Dalfox version below 2.13.0 is flagged in the pipeline scan results.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine escalation priority. Routed findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release lands. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Dalfox REST API over the network; in the default server-mode configuration there is no network restriction, so any host that can route to the server is a potential source.
AuthenticationNot required
The default Dalfox server configuration requires no API key, so no credentials are needed to submit a scan request.
Victim interactionNot required
No user action is required; the attacker triggers the crash entirely through a crafted API request without any involvement from a legitimate user.
Attack complexityDetail
Exploitation is reliable and condition-free given a reachable target: the attacker simply supplies a non-empty data field and a target that reflects at least one parameter, both of which are attacker-controlled inputs.

Blast Radius

The Dalfox server process crashes immediately on a successful panic, dropping all in-progress scans and making the REST API unreachable until the process is manually restarted.
Any queued or running scan jobs at the time of the crash are lost, disrupting automated security pipeline workflows that depend on Dalfox for XSS detection.
No confidentiality or integrity impact is present; the attacker gains no read or write access to data, only the ability to halt the service.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for this CVE, HarborGuard monitors the upstream advisory on every ingest cycle and will surface a patched-image rebuild opportunity the instant version 2.13.0 or a later fix is published. In the interim, compensating controls worth considering include network-policy rules that restrict access to the Dalfox server-mode port to trusted internal CIDR ranges only, egress filtering to limit which hosts can reach the API, and enabling an API key in the Dalfox configuration if the deployment allows it. For customers with auto-remediation enabled, the full rebuild-plus-PR flow will activate automatically once an upstream fix is confirmed, with no manual triage step required.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

hahwul / dalfox
< 2.13.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References