CVE-2026-46390 Overview
CVE-2026-46390 affects HAX CMS, a content management system that manages microsite ecosystems with PHP or NodeJS backends. The vulnerability exposes the gitlist plugin to unauthenticated users. Attackers can browse git repositories and git history without authentication. The flaw exists in HAX CMS versions starting at 2.0.0 and prior to version 26.0.0. The maintainers patched the issue in version 26.0.0. The weakness is classified under [CWE-639] (Authorization Bypass Through User-Controlled Key). The vulnerability has a network attack vector and requires no privileges or user interaction.
Critical Impact
Unauthenticated remote attackers can read git repository contents and commit history through the exposed gitlist plugin, leading to source code and historical data disclosure.
Affected Products
- HAX CMS PHP backend versions 2.0.0 through 25.x
- HAX CMS NodeJS backend versions 2.0.0 through 25.x
- HAX CMS gitlist plugin component
Discovery Timeline
- 2026-06-05 - CVE-2026-46390 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46390
Vulnerability Analysis
The vulnerability resides in the gitlist plugin component of HAX CMS. The plugin provides a web interface to browse git repositories and their history. The flaw stems from missing authentication controls on the plugin endpoints. Any remote user reaching the HAX CMS instance can access the plugin without supplying credentials.
The issue maps to [CWE-639], Authorization Bypass Through User-Controlled Key. The plugin trusts request inputs to identify and serve repository data without verifying the requester's identity or role. Confidentiality impact is limited to the data exposed by the gitlist interface. Integrity and availability are not directly affected.
Exposed git history can include source code, configuration files, commit messages, branch names, and author metadata. Repositories sometimes contain secrets such as API keys or credentials committed in earlier revisions. Attackers can use this data to plan follow-on attacks against the application or related infrastructure.
Root Cause
The gitlist plugin lacks an authentication or authorization layer in front of its handlers. The HAX CMS core does not gate plugin access to authenticated sessions. As a result, the plugin endpoints respond to anonymous HTTP requests.
Attack Vector
An attacker sends HTTP requests directly to the gitlist plugin URLs on a HAX CMS instance reachable over the network. The plugin returns repository listings, file contents, and commit history without prompting for authentication. No social engineering or prior access is required. No verified public exploit code is available at this time. Refer to the GitHub Security Advisory GHSA-6434-8rch-w65c for technical details.
Detection Methods for CVE-2026-46390
Indicators of Compromise
- Anonymous HTTP GET requests to URLs containing gitlist plugin paths on HAX CMS hosts
- Web server access logs showing repository file or commit history retrieval without an authenticated session cookie
- Unexpected outbound transfers of repository archives or large numbers of small git object requests
Detection Strategies
- Review web server and reverse proxy logs for requests to gitlist endpoints originating from external IP addresses
- Correlate user-agent strings and request rates to identify automated scraping of git history
- Audit HAX CMS installations to confirm whether the gitlist plugin is enabled and exposed to untrusted networks
Monitoring Recommendations
- Forward HAX CMS web logs to a centralized analytics platform and alert on gitlist paths accessed without authentication
- Track HAX CMS version inventory and flag instances running versions between 2.0.0 and 26.0.0
- Monitor for newly published proof-of-concept code referencing GHSA-6434-8rch-w65c
How to Mitigate CVE-2026-46390
Immediate Actions Required
- Upgrade HAX CMS to version 26.0.0 or later on all PHP and NodeJS deployments
- Restrict network access to HAX CMS administrative interfaces using firewall rules or reverse proxy authentication until the patch is applied
- Audit repositories served by HAX CMS for secrets, credentials, or sensitive content that may have been exposed and rotate any affected secrets
Patch Information
The maintainers fixed the vulnerability in HAX CMS version 26.0.0. The patch enforces authentication on the gitlist plugin so anonymous users can no longer browse git repositories. Patch details are available in the GitHub Security Advisory GHSA-6434-8rch-w65c.
Workarounds
- Disable the gitlist plugin on affected HAX CMS instances until the upgrade to 26.0.0 is completed
- Place HAX CMS behind a reverse proxy that requires authentication for any path referencing gitlist
- Limit inbound network access to the HAX CMS host to trusted administrative networks or VPN clients
# Example nginx snippet to block public access to the gitlist plugin
location ~* /gitlist {
allow 10.0.0.0/8;
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
