How is CVE-2026-46493 exploited?

Network reachability (required): The affected service must be reachable over the network; an attacker interacts with it remotely without requiring any foothold on the host. Authentication (not-required): No account or credentials are needed to attempt exploitation; the vulnerable code path is reachable by any unauthenticated request. Victim interaction (not-required): No user action is required; the attacker can probe or exploit the weakness entirely without involving another party. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other hard-to-control environmental factors.

What is the impact of CVE-2026-46493?

A successful attacker can reconstruct predictable salts derived from `uniqid()` timestamps, breaking the confidentiality of hashed secrets such as passwords or API tokens stored in the application. Recovered credentials or tokens allow the attacker to read protected site content, user data, and any information gated behind those secrets. No integrity or availability impact is indicated by the CVSS vector; the attacker gains read access but cannot modify or destroy data through this vulnerability alone.

Back to search

HIGHCVE-2026-46493Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46493: haxtheweb/haxcms-php uses insecure method for generating salt

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a weak cryptographic salt generation vulnerability in haxtheweb/haxcms-php. The affected versions use PHP's `uniqid()` function to generate salts for password hashing or token generation, a function based on the current timestamp that produces predictable output rather than cryptographically random values. An unauthenticated remote attacker who can observe or guess timing information can reconstruct salts, potentially breaking the confidentiality of protected data such as credentials or session material. HarborGuard tracks the upstream advisory for patch availability, as no fix version has been published to package registries at this time.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle haxcms-php. Any image containing an affected version of the package is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.5 (HIGH) and weighting that score against each environment's compliance policy to determine priority. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published to the upstream package registry, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a resolved release. In the interim, customers can apply compensating controls through HarborGuard's network-policy and egress-filtering recommendations to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The affected service must be reachable over the network; an attacker interacts with it remotely without requiring any foothold on the host.
AuthenticationNot required
No account or credentials are needed to attempt exploitation; the vulnerable code path is reachable by any unauthenticated request.
Victim interactionNot required
No user action is required; the attacker can probe or exploit the weakness entirely without involving another party.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other hard-to-control environmental factors.

Blast Radius

A successful attacker can reconstruct predictable salts derived from `uniqid()` timestamps, breaking the confidentiality of hashed secrets such as passwords or API tokens stored in the application.
Recovered credentials or tokens allow the attacker to read protected site content, user data, and any information gated behind those secrets.
No integrity or availability impact is indicated by the CVSS vector; the attacker gains read access but cannot modify or destroy data through this vulnerability alone.

How HarborGuard Handles This

Available on HarborGuard: images containing affected versions of haxcms-php are detectable and flagged as HIGH severity as soon as the CVE is ingested. Because no upstream fix version has been published yet, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the maintainers release a resolved version. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request against affected workloads will be generated at that point without manual intervention. In the meantime, compensating controls worth considering include network-policy isolation to restrict which services can reach the haxcms-php endpoint, egress filtering to limit outbound connections from the container, and review of any secrets generated under the affected salt logic (which should be rotated once a fix is available). Customers whose compliance policy requires a human sign-off before image promotion will see the finding queued for manual triage in their HarborGuard inbox.

See how HarborGuard automates this

Affected packages

haxtheweb / haxcms-php
< 26.0.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified