A vulnerability in Discuz! X5.0 allows unauthenticated remote attackers to bypass the authentication system by exploiting an encryption oracle that reuses a cryptographic key shared between UCenter integration and the database backup API exposed by dbbak.php. By injecting a crafted username into the login request, an attacker can trigger the logging_ctl::logging_more() routine to produce a legitimately signed token. That token can then be used to perform database export and import operations without proper authorization, effectively granting the attacker privileged access to the database and potentially allowing further compromise. This flaw arises from CWE‑323, weak password cryptographic storage, and constitutes an authentication bypass that can be leveraged to gain unauthorized database access.

Discuz! X5.0 products released between 20260320 and 20260501 are affected. The vulnerability exists across all installations of Discuz!:Discuz! X5.0 within this release window, regardless of specific configuration, because the shared cryptographic key is hard‑coded in the code base. The issue is present in all distributions that ship with the dbbak.php script and UCenter integration.

CVSS base score 9.3 indicates critical severity, and the configuration and privileges required are minimal: unauthenticated remote users can trigger the flaw via the publicly exposed login endpoint. EPSS score of less than 1% suggests exploitation is currently rare or low‑probability, and the vulnerability is not listed in CISA KEV, but the high impact and exploitability via a simple HTTP request mean that an attacker with internet exposure to the target can readily misuse it. Organizations should act swiftly to remediate. The attack path involves injecting a crafted payload during login, harvesting a signed token, and then using that token to hydrate database backup endpoints or manipulate runtime tokens to impersonate arbitrary users.