HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49952Published Modified CNA VulnCheck

CVE-2026-49952: Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle

Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in Discuz! X5.0 (releases 20260320 through 20260501) allows an unauthenticated remote attacker to forge a valid signed token by abusing a shared cryptographic key exposed through the login endpoint's encryption oracle in dbbak.php. The attacker sends a crafted username payload over the network, no credentials required, to obtain a token that unlocks the database backup and restore API. Successful exploitation gives the attacker full read and write access to the database, with a secondary ability to impersonate arbitrary users via a race condition. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-49952 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Discuz! X5.0. Any image containing an affected release (20260320 through 20260501) will surface in scan results automatically.

Available
Triage

HarborGuard scores this CVE at 9.3 Critical (CVSS v4.0) and weights that score against each customer environment's compliance policy to prioritize routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once an upstream patch lands.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Discuz! login and dbbak.php endpoints over the network; there is no local-only or physical requirement.

  • AuthenticationNot required

    No account or credentials of any kind are needed; the attack begins from a fully unauthenticated state by submitting a crafted username to the login endpoint.

  • Victim interactionNot required

    The attacker operates entirely autonomously against the service; no user action or social engineering is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free for the primary token-forgery path; a secondary race condition exists for user impersonation but does not affect the core database access primitive.

Blast Radius

  • Reads the full database export, including stored credentials, session tokens, private messages, and all user records.
  • Writes arbitrary data back into the database via the restore endpoint, allowing modification or deletion of any persisted content.
  • Impersonates arbitrary registered users by winning the documented race condition, enabling account takeover without knowing any password.
  • Grants persistent administrative access if the attacker overwrites administrator credentials or session data during the import operation.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-49952, HarborGuard continuously monitors the advisory and will surface a patched-image rebuild the moment Discuz! publishes a corrected release. In the interim, compensating controls are recommended: apply network-policy isolation to restrict access to the dbbak.php endpoint to trusted internal addresses only, enable egress filtering to limit what the Discuz! container can reach if the database export endpoint is abused, and consider feature-flag gating or WAF rules that reject requests to dbbak.php from unauthenticated sessions at the load-balancer or ingress layer. Where compliance policy permits, HarborGuard can re-scan on each ingest cycle and alert immediately if a patched version becomes available, at which point auto-remediation customers will receive a rebuild, regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this
Affected packages
  • Discuz! / Discuz! X5.0
    ≤ 20260501
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References