CVE-2026-9609
Description
A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FoxCMS up to 1.2.6 contains a privilege management flaw in Admin.php:edit() allowing low-privilege admins to reset the super admin password.
Vulnerability
In FoxCMS versions up to 1.2.6, the Admin.php:edit() function (endpoint /admin9423.php/Admin/edit) lacks proper authorization checks. While it prevents changing the status of the super administrator (id=1), it does not verify whether the currently logged-in administrator has permission to modify other administrators. This allows any authenticated administrator to craft a request containing arbitrary id, password, and group_id parameters, effectively resetting the password of any account, including the super administrator (id=1). The issue is categorized under CWE-269: Improper Privilege Management [1][2].
Exploitation
An attacker must have a valid low‑privilege administrator account on the FoxCMS backend. Using that session cookie, the attacker sends a POST request to the Admin/edit endpoint with parameters such as id=1&password=NewPass123&group_id=1. The server does not validate whether the attacker is authorized to edit the target account, allowing the attacker to overwrite the super administrator’s password. The exploit steps are publicly described in the associated issue report [2].
Impact
A successful attack grants the attacker full control of the super administrator account, leading to complete compromise of the FoxCMS backend. The attacker can then modify site content, configuration, and all user accounts. The vulnerability enables privilege escalation from a regular administrator to super administrator, resulting in total administrative takeover [2].
Mitigation
As of the publication date (2026-05-27), the vendor has not responded to the reported issue and no patch is available. Users of FoxCMS up to and including version 1.2.6 should assume the software is vulnerable. Mitigation options include restricting access to the admin panel via IP whitelisting or VPN, and reviewing administrator account trust boundaries. No fix has been released; monitor the project repository for future updates [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side object-level authorization check in Admin.php:edit() allows any authenticated administrator to modify any other administrator account, including the super administrator."
Attack vector
An attacker who already possesses a valid normal (non-super) administrator session can send a POST request to `/admin9423.php/Admin/edit` with the target `id` set to the super administrator's ID (e.g., `id=1`) and a new desired password [ref_id=2]. The server does not check whether the current user is authorized to edit that target, so the password of the super administrator is silently overwritten [CWE-269]. After the request succeeds, the attacker can log in as the super administrator with the new password and gain full control of the backend [ref_id=2].
Affected code
The vulnerable function is `edit()` in `app\admin\controller\Admin.php` [ref_id=2]. The method accepts `id`, `password`, `group_id`, and other parameters directly from the request without verifying whether the current logged-in administrator has permission to modify the target administrator account [ref_id=2].
What the fix does
No patch has been published by the vendor; the project was informed via an issue report but has not responded [ref_id=2]. The advisory recommends implementing server-side object-level authorization checks in the `edit()` method: the system should verify that the current administrator has permission to modify the target administrator, restrict modification of super administrator accounts to only other super administrators, and enforce role-based access control on sensitive fields such as `password`, `group_id`, and `status` [ref_id=2].
Preconditions
- authAttacker must have a valid normal (non-super) administrator account and session cookie for the FoxCMS backend.
- configThe target FoxCMS instance must have at least one normal administrator account and a super administrator account (id=1).
- networkThe attacker must be able to reach the admin endpoint (e.g., /admin9423.php/Admin/edit) over the network.
- inputThe attacker sends a crafted POST request with the target id (e.g., id=1) and a new password.
Reproduction
1. Log in to the FoxCMS backend with a normal (non-super) administrator account and capture the session cookie (e.g., `PHPSESSID=xxx`). 2. Send the following POST request, replacing `target.com` and the cookie value as appropriate: `POST /admin9423.php/Admin/edit HTTP/1.1` `Host: target.com` `Cookie: PHPSESSID=xxx` `Content-Type: application/x-www-form-urlencoded` `id=1&username=admin&password=Abc123456&group_id=1&nickname=黔狐科技&phone=4008883116&avatar=%2Fuploads%2Ffiles%2F20230311%2Fuser.jpg` 3. The super administrator password is now changed to `Abc123456`. Log in with `admin` / `Abc123456` to confirm full backend access [ref_id=2].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.