How is CVE-2026-46391 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends crafted requests to the exposed endpoint from a remote location. Authentication (not-required): No credentials or account are needed to trigger the vulnerable hostname-matching logic and cause the server to forward Basic Authorization headers. Victim interaction (not-required): The attack is fully server-side; no user needs to click a link or take any action for the credential forwarding to occur. Attack complexity (info): Exploit reliability is high and no special conditions, race conditions, or environmental factors are required to carry out the attack.

What is the impact of CVE-2026-46391?

Attacker captures HTTP Basic Authorization credentials (usernames and passwords or tokens) that the affected service is configured to forward to trusted hosts. Stolen credentials can be replayed against other services or APIs that accept the same Basic Authorization, expanding access beyond the initial target. Confidentiality of data accessible via the captured credentials is fully compromised; the CVSS Vulnerable Component confidentiality impact is rated High.

Back to search

HIGHCVE-2026-46391Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46391: HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a Server-Side Request Forgery (SSRF) credential theft vulnerability in the @haxtheweb/open-apis package, which is part of the HAX CMS microsite management system. The flaw is reachable over the network with no authentication required, because multiple functions use substring-only hostname matching to decide when to attach HTTP Basic Authorization headers. A successful attacker can trick the affected server into sending those credentials to an attacker-controlled endpoint, capturing authentication tokens without any victim interaction. No fix version has been published upstream; HarborGuard is actively tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46391 is available across all HarborGuard environments. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images containing @haxtheweb/open-apis versions 9.0.1 through 25.x.

Available

Triage

Triage is available using the CVSS v4.0 score of 8.7 (HIGH), with per-environment compliance policy weighting applied to prioritize severity and route findings to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released upstream. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends crafted requests to the exposed endpoint from a remote location.
AuthenticationNot required
No credentials or account are needed to trigger the vulnerable hostname-matching logic and cause the server to forward Basic Authorization headers.
Victim interactionNot required
The attack is fully server-side; no user needs to click a link or take any action for the credential forwarding to occur.
Attack complexityDetail
Exploit reliability is high and no special conditions, race conditions, or environmental factors are required to carry out the attack.

Blast Radius

Attacker captures HTTP Basic Authorization credentials (usernames and passwords or tokens) that the affected service is configured to forward to trusted hosts.
Stolen credentials can be replayed against other services or APIs that accept the same Basic Authorization, expanding access beyond the initial target.
Confidentiality of data accessible via the captured credentials is fully compromised; the CVSS Vulnerable Component confidentiality impact is rated High.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-46391 has been published, HarborGuard continuously re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment version 26.0.0 or a later fix is released upstream. Until then, customers are encouraged to apply compensating controls: use HarborGuard network policy recommendations to restrict outbound HTTP calls from containers running @haxtheweb/open-apis to a strict allowlist of trusted hostnames, preventing the server from reaching attacker-controlled endpoints. Egress filtering rules can be generated and applied through the HarborGuard policy engine for environments where container network policies are supported. For customers with auto-remediation enabled, a rebuild and regression run will be triggered automatically once the upstream patch is available, and a PR will be opened against affected workloads where compliance policy permits.

See how HarborGuard automates this

Affected packages

haxtheweb / @haxtheweb/open-apis
>= 9.0.1, < 26.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-4fg7-f244-3j49

Metrics

Get notified