Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request. First, the function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input. Then, after computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token. Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly. The `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key. The PHP backend implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens. Version 26.0.0 fixes the issue.
Published: 2026-06-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An implementation error in the hmacBase64() function of the HAX CMS Node.js backend allows an unauthenticated attacker to retrieve the system's private signing key and create forged admin‑level JSON Web Tokens. The function mistakenly uses a constant key of "0" for the HMAC and appends the real private key and salt to the output, resulting in a base64‑encoded token that exposes the key when decoded. An attacker can obtain the key by sending a single GET request to the unauthenticated /system/api/connectionSettings endpoint, which returns multiple such tokens. With this key, the attacker can issue arbitrary admin JWTs and gain full administrative control over the CMS. This flaw can be exploited remotely over HTTP and results in a high‑severity privilege escalation vulnerability.

Affected Systems

The vulnerable component is the HAX CMS application provided by haxtheweb, specifically the Node.js backend. All releases prior to version 26.0.0 contain the broken hmacBase64() function. The PHP backend implementation is correct and is not affected. The issue presents itself via the /system/api/connectionSettings endpoint, which is publicly accessible in affected deployments.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. The lack of an EPSS score suggests the exploitation probability is not quantified, but the flaw is straightforward to leverage, requiring only an unauthenticated HTTP request. The vulnerability is not listed in the CISA KEV catalog, but the impact remains severe. An attacker can immediately extract the private key and craft admin tokens without any additional prerequisites, making the risk high for any exposed HAX CMS instance running a pre‑26.0.0 Node.js backend.

Generated by OpenCVE AI on June 5, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS to version 26.0.0 or later, which contains the corrected hmacBase64() implementation
  • If an upgrade is not immediately possible, block external access to the /system/api/connectionSettings endpoint or remove it from the deployed API surface
  • Deploy the PHP backend or switch to a correctly implemented backend that does not expose private keys in tokens

Generated by OpenCVE AI on June 5, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6c8g-9hfh-pq5h HAXcms: Private Key Disclosure via Broken HMAC Implementation
History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-nodejs
Vendors & Products Haxtheweb
Haxtheweb haxcms-nodejs

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request. First, the function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input. Then, after computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token. Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly. The `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key. The PHP backend implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens. Version 26.0.0 fixes the issue.
Title HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation
Weaknesses CWE-200
CWE-321
CWE-327
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Haxtheweb Haxcms-nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:41:40.542Z

Reserved: 2026-05-13T21:04:10.931Z

Link: CVE-2026-46395

cve-icon Vulnrichment

Updated: 2026-06-05T19:41:36.923Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:33.593

Modified: 2026-06-05T20:17:33.610

Link: CVE-2026-46395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses