{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@haxtheweb/haxcms-nodejs--25.0.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@haxtheweb/haxcms-nodejs (\u003c= 25.0.0)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-46395","haxcms","key-disclosure","jwt","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["HAXtheWeb"],"content_html":"\u003cp\u003eThe \u003ccode\u003ehmacBase64()\u003c/code\u003e function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. First, the function passes the literal string \u0026ldquo;0\u0026rdquo; as the HMAC signing key instead of the intended key parameter, resulting in identical HMACs across all HAXcms instances for the same input. Second, after computing the HMAC, the function concatenates the actual signing secret (\u003ccode\u003ethis.privateKey + this.salt\u003c/code\u003e) directly onto the output. This design flaw allows any unauthenticated attacker to extract the system’s private signing key, forge arbitrary admin-level JSON Web Tokens (JWTs), and gain full admin access with a single HTTP request. The vulnerability affects \u003ccode\u003e@haxtheweb/haxcms-nodejs\u003c/code\u003e versions 25.0.0 and earlier. This vulnerability is tracked as CVE-2026-46395.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to the \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server responds with JSON data containing multiple tokens generated by the flawed \u003ccode\u003ehmacBase64()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts one of these tokens from the response.\u003c/li\u003e\n\u003cli\u003eThe attacker base64-decodes the token.\u003c/li\u003e\n\u003cli\u003eThe attacker discards the first 32 bytes of the decoded token (the HMAC).\u003c/li\u003e\n\u003cli\u003eThe attacker reads the remaining bytes as a UTF-8 string, which contains the \u003ccode\u003eprivateKey+salt\u003c/code\u003e secret.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted \u003ccode\u003eprivateKey+salt\u003c/code\u003e to forge a JWT with admin privileges using \u003ccode\u003eJWT.sign(payload, this.privateKey+this.salt)\u003c/code\u003e. The forged JWT contains a payload specifying \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003euser\u003c/code\u003e (set to \u0026ldquo;admin\u0026rdquo;), \u003ccode\u003eiat\u003c/code\u003e (current timestamp), and \u003ccode\u003eexp\u003c/code\u003e (expiration timestamp).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the forged JWT to access authenticated endpoints, performing actions such as creating, modifying, or deleting sites, and uploading files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to gain full administrative control over a HAXcms instance. The attacker can create, modify, or delete sites, upload arbitrary files, and modify content without any login events being recorded. This attack bypasses any strong passwords set by the administrator. The vulnerability affects \u003ccode\u003e@haxtheweb/haxcms-nodejs\u003c/code\u003e versions 25.0.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect requests to the \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint as an early warning of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply patches or updates provided by HAXtheWeb for \u003ccode\u003e@haxtheweb/haxcms-nodejs\u003c/code\u003e to address CVE-2026-46395.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally long tokens which can indicate exploitation, correlate with the \u003ccode\u003eHAXcms Node.js Token Length Anomaly\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:46:30Z","date_published":"2026-05-19T14:46:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-key-disclosure/","summary":"The HAXcms Node.js backend contains two cryptographic implementation errors in the `hmacBase64()` function that allow an unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.","title":"HAXcms Node.js Backend Private Key Disclosure via Broken HMAC Implementation","url":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-key-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — @Haxtheweb/Haxcms-Nodejs (\u003c= 25.0.0)","version":"https://jsonfeed.org/version/1.1"}