Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12204

CVE-2026-12204: ShopXO Auth Bypass Vulnerability

CVE-2026-12204 is an authorization bypass flaw in ShopXO up to version 6.7.1 affecting scheduled task endpoints. Attackers can remotely exploit this to bypass authorization controls. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-12204 Overview

CVE-2026-12204 is an authorization bypass vulnerability in ShopXO versions up to 6.7.1. The flaw resides in the OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral functions within app/api/controller/Crontab.php, the Scheduled Task Endpoint component. Remote attackers can manipulate these endpoints without authentication to trigger scheduled task operations they should not have access to. A public proof-of-concept is available, and the vendor did not respond to early disclosure attempts. The weakness is categorized under [CWE-285] (Improper Authorization).

Critical Impact

Unauthenticated remote attackers can invoke privileged scheduled task functions in ShopXO, manipulating order closure, payment logs, and integral (point) distribution logic.

Affected Products

  • ShopXO versions up to and including 6.7.1
  • Component: app/api/controller/Crontab.php (Scheduled Task Endpoint)
  • Affected functions: OrderClose, OrderSuccess, PayLogOrderClose, GoodsGiveIntegral

Discovery Timeline

  • 2026-06-15 - CVE-2026-12204 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12204

Vulnerability Analysis

The vulnerability stems from missing authorization checks in the Scheduled Task Endpoint of ShopXO. The Crontab.php controller exposes four functions intended for internal cron-driven invocation: OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral. These functions perform state-changing operations on orders, payment logs, and user integrals (points).

Because the API endpoint does not validate the caller's identity or origin, any remote unauthenticated user can reach these functions over the network. Attackers can repeatedly trigger order state transitions, close pending payments, or initiate integral distributions outside the intended scheduling logic. The impact spans confidentiality, integrity, and availability of low-value but business-critical data flows.

Root Cause

The root cause is improper authorization [CWE-285]. The Crontab controller treats inbound HTTP requests as trusted scheduler invocations without verifying a shared secret, IP allowlist, or session token. No middleware enforces that callers belong to the scheduling subsystem.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP requests directly to the exposed Crontab endpoints corresponding to the four vulnerable functions. A public proof-of-concept demonstrating unauthenticated cron triggering is hosted on the GitHub PoC Repository.

The vulnerability mechanism is described in prose only; no verified exploit code is reproduced here. Refer to the VulDB Vulnerability Details for additional technical context.

Detection Methods for CVE-2026-12204

Indicators of Compromise

  • HTTP requests to URIs containing api/Crontab/OrderClose, api/Crontab/OrderSuccess, api/Crontab/PayLogOrderClose, or api/Crontab/GoodsGiveIntegral originating from external IPs.
  • Unexpected order state transitions in ShopXO logs without corresponding user or admin activity.
  • Anomalous integral (points) distribution events recorded outside scheduled cron windows.

Detection Strategies

  • Inspect web server access logs for unauthenticated POST or GET requests targeting the Crontab controller paths.
  • Correlate database changes in order and payment tables against scheduler execution timestamps to identify out-of-band invocations.
  • Deploy WAF rules that match the four function names in URL paths and alert on external source addresses.

Monitoring Recommendations

  • Forward ShopXO application and access logs to a centralized SIEM for rule-based identification.
  • Monitor for high-frequency requests to app/api/controller/Crontab.php endpoints, indicating automated abuse.
  • Track integrity of order status fields and integral balances against expected scheduler cadence.

How to Mitigate CVE-2026-12204

Immediate Actions Required

  • Block external access to app/api/controller/Crontab.php endpoints using web server or WAF rules.
  • Restrict the Crontab route to localhost or an internal scheduler IP allowlist.
  • Audit recent order, payment log, and integral distribution events for signs of unauthorized triggering.

Patch Information

No vendor patch is available. The vendor was contacted prior to public disclosure but did not respond, according to the VulDB CVE Entry. Operators must rely on configuration-based mitigations until ShopXO publishes an authorized fix.

Workarounds

  • Configure the reverse proxy (Nginx, Apache) to deny external requests to /api/Crontab/* paths.
  • Require a shared secret token or HMAC signature on cron invocations and validate it in application middleware.
  • Migrate scheduled task execution to a server-local CLI cron job rather than HTTP-triggered endpoints.
bash
# Nginx configuration example to block external access to Crontab endpoints
location ~* ^/api/Crontab/(OrderClose|OrderSuccess|PayLogOrderClose|GoodsGiveIntegral) {
    allow 127.0.0.1;
    allow 10.0.0.0/8;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.