How is CVE-2026-46398 exploited?

Network reachability (required): The attacker must be positioned on a network path between the client and server to intercept unencrypted HTTP traffic carrying the cookie. Authentication (not-required): No account or credentials are needed; the attacker passively observes traffic without authenticating to the target application. Victim interaction (not-required): No user action beyond ordinary site usage is needed, as the cookie is transmitted automatically by the browser on every HTTP request. Attack complexity (info): Exploit reliability is high and condition-free once network access is established; no race conditions or special memory layout requirements apply.

What is the impact of CVE-2026-46398?

Attacker captures the haxcms_refresh_token cookie and uses it to hijack an authenticated user session. With a hijacked session, the attacker reads managed site content, configuration, and any data accessible to the compromised account. The attacker can modify or delete microsite content and settings within the privileges of the stolen session.

Back to search

HIGHCVE-2026-46398Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46398: HAX CMS Missing Secure Flag on Cookie

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing Secure flag on the session refresh cookie in HAX CMS (haxcms-php versions 25.0.0 through 25.x) allows the haxcms_refresh_token cookie to be transmitted over unencrypted HTTP connections. An attacker positioned on the same network path can capture the cookie via passive packet sniffing, requiring no authentication and no victim interaction beyond ordinary site usage. Successful exploitation lets the attacker steal the refresh token and take over authenticated sessions, leading to unauthorized access to managed content and site administration. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46398 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images derived from haxcms-php, in both registry scans and CI pipeline checks.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.8 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine urgency; the resulting finding is routed to the appropriate team inbox within the customer's HarborGuard organization.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 26.0.0 or a later fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be positioned on a network path between the client and server to intercept unencrypted HTTP traffic carrying the cookie.
AuthenticationNot required
No account or credentials are needed; the attacker passively observes traffic without authenticating to the target application.
Victim interactionNot required
No user action beyond ordinary site usage is needed, as the cookie is transmitted automatically by the browser on every HTTP request.
Attack complexityDetail
Exploit reliability is high and condition-free once network access is established; no race conditions or special memory layout requirements apply.

Blast Radius

Attacker captures the haxcms_refresh_token cookie and uses it to hijack an authenticated user session.
With a hijacked session, the attacker reads managed site content, configuration, and any data accessible to the compromised account.
The attacker can modify or delete microsite content and settings within the privileges of the stolen session.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-46398 is active across all environments running haxcms-php images in the affected version range (25.0.0 to below 26.0.0). Because no upstream fix has been published as of the CVE's publication date, HarborGuard monitors the advisory on every ingest cycle. The moment version 26.0.0 or a subsequent fix is released, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, this triggers a full rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include enforcing HTTPS-only access to HAX CMS instances via network policy or a TLS-terminating proxy, and applying egress filtering to prevent cleartext HTTP traffic from reaching the application.

See how HarborGuard automates this

Affected packages

haxtheweb / haxcms-php
>= 25.0.0, < 26.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-g7v2-r32q-jf5v

Metrics

Get notified