HAXcms Node.js Backend Private Key Disclosure via Broken HMAC Implementation

The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. First, the function passes the literal string “0” as the HMAC signing key instead of the intended key parameter, resulting in identical HMACs across all HAXcms instances for the same input. Second, after computing the HMAC, the function concatenates the actual signing secret (this.privateKey + this.salt) directly onto the output. This design flaw allows any unauthenticated attacker to extract the system’s private signing key, forge arbitrary admin-level JSON Web Tokens (JWTs), and gain full admin access with a single HTTP request. The vulnerability affects @haxtheweb/haxcms-nodejs versions 25.0.0 and earlier. This vulnerability is tracked as CVE-2026-46395.

Attack Chain

1. The attacker sends an unauthenticated GET request to the /system/api/connectionSettings endpoint.
2. The server responds with JSON data containing multiple tokens generated by the flawed hmacBase64() function.
3. The attacker extracts one of these tokens from the response.
4. The attacker base64-decodes the token.
5. The attacker discards the first 32 bytes of the decoded token (the HMAC).
6. The attacker reads the remaining bytes as a UTF-8 string, which contains the privateKey+salt secret.
7. The attacker uses the extracted privateKey+salt to forge a JWT with admin privileges using JWT.sign(payload, this.privateKey+this.salt). The forged JWT contains a payload specifying id, user (set to “admin”), iat (current timestamp), and exp (expiration timestamp).
8. The attacker uses the forged JWT to access authenticated endpoints, performing actions such as creating, modifying, or deleting sites, and uploading files.

Impact

Successful exploitation allows an unauthenticated attacker to gain full administrative control over a HAXcms instance. The attacker can create, modify, or delete sites, upload arbitrary files, and modify content without any login events being recorded. This attack bypasses any strong passwords set by the administrator. The vulnerability affects @haxtheweb/haxcms-nodejs versions 25.0.0 and earlier.

Recommendation

• Deploy the Sigma rule to detect requests to the /system/api/connectionSettings endpoint as an early warning of exploitation attempts.
• Apply patches or updates provided by HAXtheWeb for @haxtheweb/haxcms-nodejs to address CVE-2026-46395.
• Monitor web server logs for abnormally long tokens which can indicate exploitation, correlate with the HAXcms Node.js Token Length Anomaly Sigma rule.