CVE-2026-46395 Overview
HAX CMS contains a cryptographic implementation flaw in its Node.js backend that exposes the system's private signing key to unauthenticated attackers. The hmacBase64() function passes the literal string "0" as the HMAC key instead of the intended key parameter. The function then concatenates the real key (this.privateKey + this.salt) directly onto the HMAC output before base64-encoding the result. A single unauthenticated GET request to /system/api/connectionSettings returns tokens that contain the master signing secret. Attackers decode the response, discard the first 32 bytes, and recover the private key. The PHP backend is not affected. Version 26.0.0 fixes the issue.
Critical Impact
Unauthenticated attackers can extract the master signing key and forge admin-level JSON Web Tokens (JWTs) to obtain full administrative access with a single HTTP request.
Affected Products
- HAX CMS Node.js backend versions prior to 26.0.0
- HAXcms instances exposing the /system/api/connectionSettings endpoint
- Deployments using the Node.js hmacBase64() token generator
Discovery Timeline
- 2026-06-05 - CVE-2026-46395 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2026-46395
Vulnerability Analysis
The defect resides in the Node.js hmacBase64() function used by HAXcms to generate tokens. Two stacked errors transform an authentication primitive into a key disclosure oracle. First, the function invokes HMAC using the string "0" as the signing secret rather than the parameter passed by callers. Every HAXcms instance therefore computes identical HMACs for identical inputs, breaking the cryptographic property the design assumed.
Second, after computing the HMAC the function concatenates the actual key parameter onto the output. That parameter is this.privateKey + this.salt, the master signing secret of the application. The combined buffer is base64-encoded and returned as the token. Each token has a deterministic structure: 32 bytes of HMAC followed by N bytes of privateKey+salt.
This is an information disclosure flaw classified under [CWE-200]. Recovered key material enables forgery of JWTs with administrator claims, granting full administrative control of the CMS.
Root Cause
The Node.js implementation hardcodes the literal "0" where the key argument should be referenced and appends the real key to the digest output. The PHP backend implements the same function correctly, using the actual key and returning only the hash. The PHP version produces 44-character tokens while the broken Node.js version produces tokens of 139 characters or more, making affected instances trivially fingerprintable.
Attack Vector
The /system/api/connectionSettings endpoint is unauthenticated and returns multiple tokens generated by the flawed function. An attacker issues a single GET request, base64-decodes any returned token, discards the leading 32 bytes of HMAC output, and reads privateKey+salt directly. With the recovered secret the attacker signs JWTs containing admin claims and submits them to authenticated endpoints to obtain administrative access.
No authentication, user interaction, or specialized tooling is required. Exploitation reduces to one HTTP request plus standard base64 decoding. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-46395
Indicators of Compromise
- Unauthenticated GET requests to /system/api/connectionSettings from external sources
- Response payloads containing base64url tokens of 139 characters or more from the Node.js backend
- JWTs accepted by the application that were not issued by the server's normal authentication flow
- Administrative actions performed by sessions lacking a preceding login event
Detection Strategies
- Inspect HTTP access logs for requests to /system/api/connectionSettings and correlate with subsequent privileged API calls from the same source
- Audit issued JWTs for iat and jti values that do not appear in authentication server logs
- Fingerprint the deployment by token length; tokens of 139+ characters indicate the vulnerable Node.js backend
Monitoring Recommendations
- Forward HAXcms application and reverse proxy logs to a centralized analytics platform for correlation of unauthenticated endpoint access with admin activity
- Alert on sudden creation of administrator accounts or configuration changes not preceded by an interactive login
- Track requests to system and settings endpoints from non-allowlisted networks
How to Mitigate CVE-2026-46395
Immediate Actions Required
- Upgrade HAX CMS to version 26.0.0 or later, which corrects the hmacBase64() implementation
- Rotate privateKey and salt values after upgrading, since prior keys must be considered compromised
- Invalidate all existing JWTs and force re-authentication of administrative users
- Review audit logs for unauthorized administrative actions since deployment of the affected version
Patch Information
The maintainers released a fix in HAX CMS version 26.0.0. The patch corrects the Node.js hmacBase64() function to use the supplied key parameter and to return only the HMAC digest, matching the behavior of the PHP backend. Full remediation details are available in the GitHub Security Advisory GHSA-6c8g-9hfh-pq5h.
Workarounds
- Restrict network access to /system/api/connectionSettings via reverse proxy rules or a web application firewall until the upgrade is applied
- Place the HAXcms Node.js backend behind an authenticated gateway that blocks unauthenticated access to system endpoints
- If upgrade is not immediately possible, migrate to the PHP backend, which is not affected
# Example reverse proxy rule blocking external access to the vulnerable endpoint
location /system/api/connectionSettings {
allow 127.0.0.1;
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
