CVE-2026-12204 Overview
CVE-2026-12204 is an authorization bypass vulnerability in ShopXO versions up to 6.7.1. The flaw resides in the OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral functions within app/api/controller/Crontab.php, the Scheduled Task Endpoint component. Remote attackers can manipulate these endpoints without authentication to trigger scheduled task operations they should not have access to. A public proof-of-concept is available, and the vendor did not respond to early disclosure attempts. The weakness is categorized under [CWE-285] (Improper Authorization).
Critical Impact
Unauthenticated remote attackers can invoke privileged scheduled task functions in ShopXO, manipulating order closure, payment logs, and integral (point) distribution logic.
Affected Products
- ShopXO versions up to and including 6.7.1
- Component: app/api/controller/Crontab.php (Scheduled Task Endpoint)
- Affected functions: OrderClose, OrderSuccess, PayLogOrderClose, GoodsGiveIntegral
Discovery Timeline
- 2026-06-15 - CVE-2026-12204 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12204
Vulnerability Analysis
The vulnerability stems from missing authorization checks in the Scheduled Task Endpoint of ShopXO. The Crontab.php controller exposes four functions intended for internal cron-driven invocation: OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral. These functions perform state-changing operations on orders, payment logs, and user integrals (points).
Because the API endpoint does not validate the caller's identity or origin, any remote unauthenticated user can reach these functions over the network. Attackers can repeatedly trigger order state transitions, close pending payments, or initiate integral distributions outside the intended scheduling logic. The impact spans confidentiality, integrity, and availability of low-value but business-critical data flows.
Root Cause
The root cause is improper authorization [CWE-285]. The Crontab controller treats inbound HTTP requests as trusted scheduler invocations without verifying a shared secret, IP allowlist, or session token. No middleware enforces that callers belong to the scheduling subsystem.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP requests directly to the exposed Crontab endpoints corresponding to the four vulnerable functions. A public proof-of-concept demonstrating unauthenticated cron triggering is hosted on the GitHub PoC Repository.
The vulnerability mechanism is described in prose only; no verified exploit code is reproduced here. Refer to the VulDB Vulnerability Details for additional technical context.
Detection Methods for CVE-2026-12204
Indicators of Compromise
- HTTP requests to URIs containing api/Crontab/OrderClose, api/Crontab/OrderSuccess, api/Crontab/PayLogOrderClose, or api/Crontab/GoodsGiveIntegral originating from external IPs.
- Unexpected order state transitions in ShopXO logs without corresponding user or admin activity.
- Anomalous integral (points) distribution events recorded outside scheduled cron windows.
Detection Strategies
- Inspect web server access logs for unauthenticated POST or GET requests targeting the Crontab controller paths.
- Correlate database changes in order and payment tables against scheduler execution timestamps to identify out-of-band invocations.
- Deploy WAF rules that match the four function names in URL paths and alert on external source addresses.
Monitoring Recommendations
- Forward ShopXO application and access logs to a centralized SIEM for rule-based identification.
- Monitor for high-frequency requests to app/api/controller/Crontab.php endpoints, indicating automated abuse.
- Track integrity of order status fields and integral balances against expected scheduler cadence.
How to Mitigate CVE-2026-12204
Immediate Actions Required
- Block external access to app/api/controller/Crontab.php endpoints using web server or WAF rules.
- Restrict the Crontab route to localhost or an internal scheduler IP allowlist.
- Audit recent order, payment log, and integral distribution events for signs of unauthorized triggering.
Patch Information
No vendor patch is available. The vendor was contacted prior to public disclosure but did not respond, according to the VulDB CVE Entry. Operators must rely on configuration-based mitigations until ShopXO publishes an authorized fix.
Workarounds
- Configure the reverse proxy (Nginx, Apache) to deny external requests to /api/Crontab/* paths.
- Require a shared secret token or HMAC signature on cron invocations and validate it in application middleware.
- Migrate scheduled task execution to a server-local CLI cron job rather than HTTP-triggered endpoints.
# Nginx configuration example to block external access to Crontab endpoints
location ~* ^/api/Crontab/(OrderClose|OrderSuccess|PayLogOrderClose|GoodsGiveIntegral) {
allow 127.0.0.1;
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

