Summary
The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.
Details
Bug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.
Bug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.
Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of privateKey+salt. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.
The /system/api/connectionSettings endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.
The PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.
PoC
- GET request to
/system/api/connectionSettingsendpoint and fetch the token. - Extract the private key from the fetched token. The
hmacBase64()function produces 32 bytes with HMAC-SHA256 with hardcoded key "0" and the rest of the bytes areprivateKey+salt(plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key). - Since JWT's are signed with
privateKey+salt, use this stolen private key to forge a JWT for admin usingJWT.sign(payload, this.privateKey+this.salt). NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)} - The same key can also be used to create other tokens (user_token, base_token, form_token, etc).
- Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.
Impact
An unauthenticated attacker can perform the complete attack chain with a single HTTP request:
- Extract private key: GET "/system/api/connectionSettings", base64-decode any token, discard first 32 bytes.
- Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt.
- Forge all request tokens: compute valid user_token, site_token for any API call.
- Full admin access: create/modify/delete sites, upload files, modify content.
This works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.
The application uses a cryptographic algorithm known to have weaknesses, such as MD5, SHA-1, or DES. Typical impact: compromised confidentiality or integrity of protected data.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-46395? CVE-2026-46395 is a critical-severity use of a broken or risky cryptographic algorithm vulnerability in @haxtheweb/haxcms-nodejs (npm), affecting versions <= 25.0.0. It is fixed in 26.0.0. The application uses a cryptographic algorithm known to have weaknesses, such as MD5, SHA-1, or DES.
- Which versions of @haxtheweb/haxcms-nodejs are affected by CVE-2026-46395? @haxtheweb/haxcms-nodejs (npm) versions <= 25.0.0 is affected.
- Is there a fix for CVE-2026-46395? Yes. CVE-2026-46395 is fixed in 26.0.0. Upgrade to this version or later.
- Is CVE-2026-46395 exploitable, and should I be worried? Whether CVE-2026-46395 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-46395 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-46395? Upgrade
@haxtheweb/haxcms-nodejsto 26.0.0 or later.