CVE-2026-8739

Vulnerability

A cryptographic design flaw exists in PublicCMS 5.202506.d within the SafeConfigComponent.getSignKey function (publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java). When the privatefile_key configuration is not set, the function uses a deterministic fallback key derived from siteId, CMS_FILEPATH.hashCode(), and clusterId. The clusterId value is exposed through the unauthenticated endpoint /api/directive/tools/version, making the effective signing secret externally derivable [1].

Exploitation

An unauthenticated attacker can obtain the cluster value by sending a GET request to /api/directive/tools/version. Using the known derivation algorithm, the attacker can compute the default signing key offline. With this key, the attacker can forge a valid sign parameter for any private file path and expiry value, then download the file via the /file/private endpoint without authentication [1].

Impact

Successful exploitation allows an unauthenticated attacker to download any private file protected by the signed URL mechanism. This results in unauthorized information disclosure of files that were intended to be restricted to authenticated users or specific signed requests [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released as of the publication date. As a workaround, administrators should configure a strong, random privatefile_key in the application configuration to override the default. Additionally, consider restricting access to the /api/directive/tools/version endpoint or removing it if not required [1].