Description
Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Discuz! X5.0 releases dated 20260320 through 20260501 contain an authentication bypass that originates from a weak cryptographic key shared between UCenter integration and the database backup API exposed by dbbak.php. By injecting a specially crafted username during the login request, an attacker can invoke the logging_ctl::logging_more() routine to generate a legitimately signed token. That token is then replayed to access the database export and import endpoints without proper authorization, effectively granting the attacker privileged database access. The flaw also allows a race condition that can be exploited to impersonate arbitrary users, further expanding the potential impact. The weakness is identified as CWE‑323, weak cryptographic key.

Affected Systems

Discuz! X5.0 products released between 20260320 and 20260501 are vulnerable. The issue is present in all installations that ship with the dbbak.php script and UCenter integration, regardless of additional configuration.

Risk and Exploitability

The CVSS base score of 9.3 signals critical severity. The EPSS score of less than 1 % indicates that exploitation has been rare or low‑probability as of the last assessment, and the vulnerability is not listed in CISA KEV. Nevertheless, the attack requires only unauthenticated remote access to the public login endpoint and a crafted payload; no prior credentials are necessary. Attackers can readily obtain a signed token and use it to export or import the database, or to trigger a race condition that impersonates users. Given the high impact of disallowed database access, rapid remediation is essential.

Generated by OpenCVE AI on June 18, 2026 at 07:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Discuz! X5.0 version released on or after 20260502 that removes the shared cryptographic key and implements proper token validation.
  • If an upgrade is not immediately available, disable the dbbak.php script by removing or restricting access to it, and disable or reconfigure UCenter integration to eliminate the shared key.
  • Configure a web application firewall to block requests containing suspicious usernames used to trigger the oracle and monitor authentication logs for repeated unauthorized attempts.

Generated by OpenCVE AI on June 18, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Discuz
Discuz discuzx
Vendors & Products Discuz
Discuz discuzx

Tue, 16 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
References

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.
Title Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
Weaknesses CWE-323
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T09:48:23.903Z

Reserved: 2026-06-02T16:30:15.232Z

Link: CVE-2026-49952

cve-icon Vulnrichment

Updated: 2026-06-16T09:48:23.903Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:29.103

Modified: 2026-06-16T12:16:26.373

Link: CVE-2026-49952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:30:05Z

Weaknesses
  • CWE-323

    Reusing a Nonce, Key Pair in Encryption