PatchSiren cyber security CVE debrief

CVE-2026-46395 haxtheweb CVE debrief

CVE-2026-46395 is a critical vulnerability in HAX CMS, a microsite universe management system with PHP or Node.js backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. These errors allow any unauthenticated attacker to extract the system's private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs), granting them full admin access with a single HTTP request.

Vendor: haxtheweb
Product: haxcms-nodejs
CVSS: CRITICAL 9.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-05
Advisory published: 2026-06-05
Advisory updated: 2026-06-05

Who should care

Administrators and users of HAX CMS, especially those using the Node.js backend, should be aware of this critical vulnerability. The PHP backend is not affected as it implements the function correctly.

Technical summary

The `hmacBase64()` function passes the literal string '0' as the HMAC signing key instead of the key parameter, resulting in identical HMACs for the same input across all HAXcms instances. After computing the HMAC, the function concatenates the real key parameter, which is 'this.privateKey + this.salt', directly onto the output. This allows an attacker to base64-decode any token, discard the first 32 bytes, and read the private key directly.

Defensive priority

High

Recommended defensive actions

Upgrade to version 26.0.0 or later of HAX CMS to fix the issue.
Use the PHP backend, which is not affected by this vulnerability.

Evidence notes

The `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by the vulnerable `hmacBase64()` function. A single GET request to this endpoint can expose the private key.

Official resources

CVE-2026-46395 was published on 2026-06-05T19:16:33.593Z and modified on 2026-06-05T20:17:33.610Z.