Threat Advisory

HAXcms Vulnerability Exposes Authorization Bypass via Cross-Tenant Hijack

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the npm/@haxtheweb/haxcms-nodejs and npm/@haxtheweb/open-apis packages. The affected versions are <= 25.0.0. The vulnerabilities include a mass token exfiltration and cross-tenant hijack via stored XSS, a private key disclosure via a broken HMAC implementation, and a server-side request forgery vulnerability that enables arbitrary file read and internal network access. These vulnerabilities can result in business risk and impact, including unauthorized access to sensitive data, potential system compromise, and data exfiltration.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the npm/@haxtheweb/haxcms-nodejs and npm/@haxtheweb/open-apis packages. The affected versions are <= 25.0.0. The vulnerabilities include a mass token exfiltration and cross-tenant hijack via stored XSS, a private key disclosure via a broken HMAC implementation, and a server-side request forgery vulnerability that enables arbitrary file read and internal network access. These vulnerabilities can result in business risk and impact, including unauthorized access to sensitive data, potential system compromise, and data exfiltration.[emaillocker id="1283"]

  • CVE-2026-46511 with a CVSS score of 7.5 – The vulnerability is a mass token exfiltration and cross-tenant hijack via stored XSS in the `/system/api/connectionSettings` endpoint. An authenticated attacker can exploit this vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook.
  • CVE-2026-46395 with a CVSS score of 9.0 – The vulnerability is a private key disclosure via a broken HMAC implementation in the `hmacBase64()` function. An unauthenticated attacker can exploit this vulnerability to extract the system's private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.
  • CVE-2026-46391 with a CVSS score of 7.5 – The vulnerability is a server-side request forgery (SSRF) in multiple functions that conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication.
  • CVE-2026-46393 with a CVSS score of 7.5 – The vulnerability is a server-side request forgery (SSRF) in the `createSite` endpoint of HAXcms. An authenticated user can exploit this vulnerability to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.

The exploitation of these vulnerabilities can result in significant business risk and impact, including unauthorized access to sensitive data, potential system compromise, and data exfiltration.

RECOMMENDATION:

  • We recommend you to update npm/@haxtheweb/haxcms-nodejs to version 26.0.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-x3x5-7h4h-gwxg
https://github.com/advisories/GHSA-6c8g-9hfh-pq5h
https://github.com/advisories/GHSA-4fg7-f244-3j49
https://github.com/advisories/GHSA-q862-gcgq-5m6g

[/emaillocker]
crossmenu