How is CVE-2026-46395 exploited?

Network reachability (required): The vulnerable `/system/api/connectionSettings` endpoint is exposed over the network, so the attacker must be able to send an HTTP request to the target host. Authentication (not-required): The endpoint is completely unauthenticated; no account, session, or credential of any kind is needed to retrieve the private key. Victim interaction (not-required): Exploitation is fully passive from the victim's perspective and requires no user action; a single GET request from the attacker is sufficient. Attack complexity (info): Exploitation is reliable and condition-free: the token structure is deterministic across all affected instances, so key extraction is a straightforward base64-decode-and-slice operation with no race conditions or environmental variables to manage.

What is the impact of CVE-2026-46395?

Attacker recovers the instance's `privateKey+salt` directly from the decoded token, giving them the master signing secret for the entire CMS. With the private key, the attacker forges arbitrary admin-level JWTs and authenticates as a full administrator with no credential brute-forcing required. As an admin, the attacker reads, modifies, or deletes all CMS content, user records, and site configuration stored in the backend. Full admin access enables the attacker to install or alter server-side content, potentially pivoting to further compromise of the hosting environment.

Back to search

CRITICALCVE-2026-46395Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46395: HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request. First, the function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input. Then, after computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token. Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly. The `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key. The PHP backend implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens. Version 26.0.0 fixes the issue.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A cryptographic key disclosure vulnerability in the HAX CMS Node.js backend allows any unauthenticated attacker to extract the system's private signing key with a single HTTP GET request. The `hmacBase64()` function mistakenly uses the literal string "0" as the HMAC key and then appends the real `privateKey+salt` directly to the output buffer before base64-encoding it, so the secret is trivially recoverable by decoding any token and skipping the first 32 bytes. With the private key in hand, an attacker forges arbitrary admin-level JWTs and gains full administrative access to the CMS. No fix version has been published yet; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the haxcms-nodejs package at any version below 26.0.0.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 (Critical) using the published v4.0 vector and weights it against each environment's compliance policy to determine escalation priority; affected findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. In the interim, the finding remains open and visible in each environment's vulnerability dashboard for manual remediation tracking.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable `/system/api/connectionSettings` endpoint is exposed over the network, so the attacker must be able to send an HTTP request to the target host.
AuthenticationNot required
The endpoint is completely unauthenticated; no account, session, or credential of any kind is needed to retrieve the private key.
Victim interactionNot required
Exploitation is fully passive from the victim's perspective and requires no user action; a single GET request from the attacker is sufficient.
Attack complexityDetail
Exploitation is reliable and condition-free: the token structure is deterministic across all affected instances, so key extraction is a straightforward base64-decode-and-slice operation with no race conditions or environmental variables to manage.

Blast Radius

Attacker recovers the instance's `privateKey+salt` directly from the decoded token, giving them the master signing secret for the entire CMS.
With the private key, the attacker forges arbitrary admin-level JWTs and authenticates as a full administrator with no credential brute-forcing required.
As an admin, the attacker reads, modifies, or deletes all CMS content, user records, and site configuration stored in the backend.
Full admin access enables the attacker to install or alter server-side content, potentially pivoting to further compromise of the hosting environment.

How HarborGuard Handles This

Available on HarborGuard: any image containing haxcms-nodejs below version 26.0.0 is flagged as Critical the moment the image is scanned or re-evaluated against the updated feed. Because no upstream fix has been published, the finding will remain open until a patched version is released; at that point a rebuilt image and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads become available automatically. While awaiting an upstream patch, network-policy isolation at the ingress layer is a practical compensating control: restricting external access to the `/system/api/connectionSettings` endpoint via an ingress rule or web application firewall policy eliminates the unauthenticated exposure without requiring an application change. HarborGuard surfaces remediation guidance alongside the finding so that teams can apply these controls without waiting for an official fix.

See how HarborGuard automates this

Affected packages

haxtheweb / haxcms-nodejs
< 26.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-6c8g-9hfh-pq5h

Metrics

Get notified