CVE-2026-46401

An attacker must first obtain a valid authentication token, which can be captured from browser storage or network traffic after a legitimate user logs in and performs an action. The attacker then waits for the user to log out. After logout, the attacker replays the captured token against an authenticated CMS API endpoint, such as `/system/api/getSkeleton` or `/system/api/getSites`. The server incorrectly processes the request, granting access as if the user were still authenticated, bypassing the intended session termination [ref_id=1].

The vulnerability lies within HAXCMS's session management implementation, specifically in how it handles token revocation upon user logout. The advisory notes that the application lacks proper server-side token revocation mechanisms, such as token blacklisting or server-side session tracking, allowing any endpoint accepting user_token parameters to continue honoring previously issued tokens [ref_id=1].

Version 26.0.0 addresses the vulnerability by implementing proper server-side token revocation mechanisms. This ensures that authentication tokens are invalidated on the server when a user logs out, rather than relying solely on client-side state clearing. The fix prevents previously issued tokens from being replayed against authenticated API endpoints after a user has terminated their session, thereby closing the unauthorized access vector [ref_id=1].

1. Log in to HAXCMS using valid credentials. 2. Create a site or skeleton (e.g., named "online-course-clean-one"). 3. Capture the authentication token (user_token parameter) from browser storage or network traffic. 4. Log out using the standard logout functionality. 5. Replay the captured token against an authenticated API endpoint, for example: `GET /system/api/getSkeleton?name=online-course-clean-one&user_token=<CAPTURED_TOKEN>`. Expected Result: Server should return an HTTP 401 Unauthorized response. Actual Result: Server returns HTTP 200 OK with CMS data, indicating the token remains valid [ref_id=1].