Impact
Discuz! X5.0 releases dated 20260320 through 20260501 contain an authentication bypass that originates from a weak cryptographic key shared between UCenter integration and the database backup API exposed by dbbak.php. By injecting a specially crafted username during the login request, an attacker can invoke the logging_ctl::logging_more() routine to generate a legitimately signed token. That token is then replayed to access the database export and import endpoints without proper authorization, effectively granting the attacker privileged database access. The flaw also allows a race condition that can be exploited to impersonate arbitrary users, further expanding the potential impact. The weakness is identified as CWE‑323, weak cryptographic key.
Affected Systems
Discuz! X5.0 products released between 20260320 and 20260501 are vulnerable. The issue is present in all installations that ship with the dbbak.php script and UCenter integration, regardless of additional configuration.
Risk and Exploitability
The CVSS base score of 9.3 signals critical severity. The EPSS score of less than 1 % indicates that exploitation has been rare or low‑probability as of the last assessment, and the vulnerability is not listed in CISA KEV. Nevertheless, the attack requires only unauthenticated remote access to the public login endpoint and a crafted payload; no prior credentials are necessary. Attackers can readily obtain a signed token and use it to export or import the database, or to trigger a race condition that impersonates users. Given the high impact of disallowed database access, rapid remediation is essential.
OpenCVE Enrichment