VYPR
← All advisories
Critical severity9.1NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-49952

CVE-2026-49952

Description

Discuz! X5.0 releases 20260320–20260501 allow unauthenticated attackers to bypass authentication via a shared cryptographic key, enabling database backup/restore access and user impersonation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Discuz! X5.0 releases 20260320–20260501 allow unauthenticated attackers to bypass authentication via a shared cryptographic key, enabling database backup/restore access and user impersonation.

Vulnerability

Discuz! X5.0 releases 20260320 through 20260501 contain an authentication bypass vulnerability due to a shared cryptographic key between UCenter integration and the database backup/restore API. The config/config_ucenter.php file defines UC_KEY by copying the global authkey setting, breaking cryptographic isolation [2]. The logging_ctl::logging_more() method, invoked during login when lssubmit is present, encrypts attacker-controlled input with the global authkey and reflects the ciphertext, acting as an encryption oracle [2][4].

Exploitation

An unauthenticated attacker can inject a crafted payload through the username parameter during login to obtain a legitimately signed token from the encryption oracle [2][4]. This token bypasses the authorization check in /api/db/dbbak.php, granting access to database export and import operations. By abusing the database export/import functionality, the attacker can trigger a race condition to impersonate arbitrary users [1][2]. No prior authentication is required; only network access to the target is needed.

Impact

Successful exploitation allows an unauthenticated attacker to gain unauthorized access to database backup and restore functionality, potentially leading to data exfiltration or modification. By chaining with the race condition, the attacker can impersonate any user, effectively bypassing authentication [1][2]. This can be further combined with other vulnerabilities (e.g., LFI) to achieve remote code execution [1].

Mitigation

The vendor released a fix in version 20260510 [2]. Users should upgrade to Discuz! X5.0 release 20260510 or later. The fix is available in the official repository (commit 9962dad52c4c6999dabaf91ecd70377c680ff3c6) [3]. No workaround is documented; upgrading is the recommended action.

References
  1. Chaining Security Bugs in Discuz! X5.0: from Race Condition to Pre-Auth RCE
  2. Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability
  3. Login - Gitee
  4. Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
9962dad52c4c
https://gitee.com/discuz/discuzxvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Missing path validation in plugin enable/disable logic allows an attacker-controlled file path to be passed to PHP's include(), enabling Local File Inclusion."

Attack vector

An unauthenticated attacker first exploits a cross-context token reuse vulnerability to bypass authentication and gain administrator privileges. As an admin, the attacker imports a malicious plugin XML via `import.php` by setting `$_GET['dir']` to an existing plugin directory (e.g., "myrepeats") and uploading an XML file that controls the `$pluginarray` structure [ref_id=1]. The attacker sets `$pluginarray['plugin']['directory']` to a path traversal string (e.g., `../../data/attachment/common/cf/`) and `$pluginarray['modules']['extra']['enablefile']` to a filename of a previously uploaded image containing PHP code. When the admin then enables the plugin, `enable_disable.php` includes the attacker-controlled file, executing arbitrary PHP code [ref_id=1].

Affected code

The vulnerability spans two scripts. In `/source/app/admin/child/plugins/enable_disable.php`, line 36 calls `include $filename` with a path partially controlled by the attacker via the `$pluginarray` variable. In `/source/app/admin/child/plugins/import.php`, the `getimportdata()` function at line 62 deserializes an attacker-uploaded XML file into `$pluginarray`, which is then passed to `plugininstall()` in `/source/function/function_plugin.php`, storing the attacker-controlled `directory` and `modules` values into the database [ref_id=1].

What the fix does

The patch [patch_id=6110798] addresses the LFI by adding validation to the `$filename` variable before the `include()` call in `enable_disable.php`. Specifically, it ensures the resolved path stays within the expected plugin directory, preventing directory traversal. The patch also sanitizes the `$pluginarray` data during plugin import to block malicious `directory` and `modules` values from being stored. These changes close the path traversal vector that allowed an attacker to include arbitrary files from the filesystem.

Preconditions

  • authAttacker must first obtain administrator privileges (via the authentication bypass chain described in the CVE)
  • inputAttacker must be able to upload a file containing PHP code (e.g., via profile picture upload)
  • inputAttacker must import a crafted plugin XML file via import.php
  • inputAttacker must then trigger the enable/disable plugin action to execute the include

Reproduction

The reference write-up [ref_id=1] describes the full chain but does not provide standalone reproduction steps. No public PoC is included in the bundle.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.