HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis
Description
Summary
Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication.
Details
api/services/website/cacheAddress.js, api/apps/haxcms/lib/JOSHelpers.js, and api/apps/haxcms/convert/elmslnToSite.js use similar logic to check for hard-coded site names. However, the logic only looks for the substring to be included in the user-controlled string, allowing an attacker to craft an API call and extract the credentials intended for the hard-coded domains.
PoC
Making API calls to an affected endpoint will result in credential theft. The attacker-controlled domains in these proofs of concept are cloudflared tunnels, protecting the production credentials from unencrypted exposure.
cacheAddress.js:
elmslnToSite.js:
JOSHelpers.js:
Impact
This vulnerability allows internal data, including secrets, to be exfiltrated to an attacker-controlled domain. Credentials were confirmed with the maintainer to grant access to unreleased LMS content on subsequent systems; out of scope for PoC.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Substring hostname matching in open-apis allows credential theft via SSRF by appending matched domains to attacker-controlled endpoints.
Vulnerability
Multiple functions in api/services/website/cacheAddress.js, api/apps/haxcms/lib/JOSHelpers.js, and api/apps/haxcms/convert/elmslnToSite.js perform substring-only matching to validate hostnames before sending basic authorization. This allows an attacker to append a hard-coded substring to an attacker-controlled domain and pass validation. The affected versions are those in the open-apis repository. [2][3]
Exploitation
An attacker crafts an API call with a hostname that includes the matched substring (e.g., a hard-coded site name) followed by an attacker-controlled domain. The substring match passes, and the credentials are sent to the attacker's endpoint via server-side request forgery (SSRF). No authentication or user interaction is required. [2][3]
Impact
Successful exploitation leads to theft of credentials and other secrets, which can be used to access unreleased LMS content on subsequent systems. This results in disclosure of sensitive information. [2][3]
Mitigation
As of the advisory publication, no fix version has been released. A workaround is to implement exact hostname matching instead of substring matching. The maintainer has been notified. [2][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.