HAXcms: Private Key Disclosure via Broken HMAC Implementation
Description
Summary
The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.
Details
Bug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.
Bug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.
Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of privateKey+salt. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.
The /system/api/connectionSettings endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.
The PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.
### PoC 1. GET request to /system/api/connectionSettings endpoint and fetch the token. 2. Extract the private key from the fetched token. The hmacBase64() function produces 32 bytes with HMAC-SHA256 with hardcoded key "0" and the rest of the bytes are privateKey+salt (plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key). 3. Since JWT's are signed with privateKey+salt, use this stolen private key to forge a JWT for admin using JWT.sign(payload, this.privateKey+this.salt). NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)} 4. The same key can also be used to create other tokens (user_token, base_token, form_token, etc). 5. Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.
Impact
An unauthenticated attacker can perform the complete attack chain with a single HTTP request: 1. Extract private key: GET "/system/api/connectionSettings", base64-decode any token, discard first 32 bytes. 2. Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt. 3. Forge all request tokens: compute valid user_token, site_token for any API call. 4. Full admin access: create/modify/delete sites, upload files, modify content.
This works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hardcoded HMAC key and private-key concatenation bug in HAXcms Node.js lets any unauthenticated attacker recover the signing secret and forge admin JWTs.
Vulnerability
The hmacBase64() function in HAXcms Node.js backend contains two cryptographic implementation errors. First, on line 2160 the function passes the literal string "0" as the HMAC signing key instead of the actual key parameter, making every instance compute identical HMACs for the same input. Second, on lines 2161–2163 after computing the HMAC, the function concatenates the real key parameter (this.privateKey + this.salt) directly onto the output before base64-encoding the combined buffer [1][2]. This affects all Node.js backend versions; the PHP backend (HAXCMS.php:1619-1631) implements the function correctly [2]. The unauthenticated endpoint /system/api/connectionSettings returns multiple tokens generated by this broken function [2][3].
Exploitation
An attacker needs no authentication, no prior access, and no user interaction. A single GET request to /system/api/connectionSettings fetches a token [2]. The token produced by the broken hmacBase64() function is 32 bytes of HMAC-SHA256 (keyed with "0") followed by privateKey+salt in plaintext, all base64url-encoded [2][3]. The attacker base64-decodes the token, discards the first 32 bytes, and reads the remaining bytes as UTF-8 to obtain privateKey+salt. Since the PHP backend produces 44-character tokens and the Node.js version produces 139+ character tokens, the length difference also flags the vulnerable version [2].
Impact
Successful exploitation allows an unauthenticated attacker to extract the system's master signing secret (privateKey+salt). With that secret, the attacker can forge arbitrary admin-level JSON Web Tokens (JWTs) by calling JWT.sign(payload, this.privateKey+this.salt) and achieve full admin access with a single HTTP request [2][3]. The compromise is total: complete disclosure of the signing key leads to privilege escalation to admin, enabling full read/write access to the CMS.
Mitigation
As of the referenced advisories, no patched version has been released; the issue is reported against the HAXcms Node.js backend [1][2][3]. A workaround is to disable or restrict access to the /system/api/connectionSettings endpoint until a fix is available, or to switch to the PHP backend which implements hmacBase64() correctly [2]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.