HAXcms's Insecure Default Configuration Leads to Unauthenticated Access
Description
HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. This is fixed in version 11.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAXcms NodeJS default configuration disables JWT checks, allowing unauthenticated remote attackers to access, modify, and delete site data.
Root
Cause
The NodeJS version of HAXcms, up to version 11.0.6, uses an insecure default configuration intended for local development. The environment variable HAXCMS_DISABLE_JWT_CHECKS is set to true by default, which disables all authentication and authorization checks [1][3]. This design flaw means that if a user deploys haxcms-nodejs without modifying the default settings, the application will not enforce session authentication.
Exploitation
An attacker can exploit this vulnerability simply by accessing the HAXXcms instance over the network. No authentication is required; the application loads without any JWT token verification [3]. This allows any remote, unauthenticated user to interact with the CMS endpoints.
Impact
With JWT checks disabled, an unauthenticated remote attacker can access, modify, and delete all site information, including user data, content, and configuration [3]. This fully compromises the confidentiality, integrity, and availability of the CMS instance.
Mitigation
The vulnerability is fixed in HAXcms NodeJS version 11.0.7 [1]. Users are strongly advised to upgrade immediately. For deployments that cannot upgrade, ensure that HAXCMS_DISABLE_JWT_CHECKS is set to false in the production environment.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@haxtheweb/haxcms-nodejsnpm | < 11.0.7 | 11.0.7 |
Affected products
2- haxtheweb/issuesv5Range: < 11.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f38f-jvqj-mfg6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54127ghsaADVISORY
- github.com/haxtheweb/issues/security/advisories/GHSA-f38f-jvqj-mfg6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.