CVE-2026-46391

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.

### Summary Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. ### Details [api/services/website/cacheAddress.js](https://github.com/haxtheweb/open-apis/blob/ff694ce91442c39ae1a78dc21e9ce50546aa207a/api/services/website/cacheAddress.js#L21), [api/apps/haxcms/lib/JOSHelpers.js](https://github.com/haxtheweb/open-apis/blob/ff694ce91442c39ae1a78dc21e9ce50546aa207a/api/apps/haxcms/lib/JOSHelpers.js#L26), and [api/apps/haxcms/convert/elmslnToSite.js](https://github.com/haxtheweb/open-apis/blob/ff694ce91442c39ae1a78dc21e9ce50546aa207a/api/apps/haxcms/convert/elmslnToSite.js#L37) use similar logic to check for hard-coded site names. However, the logic only looks for the substring to be included in the user-controlled string, allowing an attacker to craft an API call and extract the credentials intended for the hard-coded domains. ### PoC Making API calls to an affected endpoint will result in credential theft. The attacker-controlled domains in these proofs of concept are `cloudflared` tunnels, protecting the production credentials from unencrypted exposure. cacheAddress.js: <img width="3404" height="1656" alt="ssrf_cred_theft" src="https://github.com/user-attachments/assets/0a87cef5-3c4d-450a-8bb7-35123d5f621b" /> elmslnToSite.js: <img width="3409" height="1641" alt="theft2" src="https://github.com/user-attachments/assets/bede82cc-a613-4fc7-bbf6-76166af784f5" /> JOSHelpers.js: <img width="3407" height="1597" alt="theft3" src="https://github.com/user-attachments/assets/4f3f8bee-443e-4b22-9d41-eb9726619d36" /> ### Impact This vulnerability allows internal data, including secrets, to be exfiltrated to an attacker-controlled domain. Credentials were confirmed with the maintainer to grant access to unreleased LMS content on subsequent systems; out of scope for PoC.

### Summary Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. ### Details [api/services/website/cacheAddress.js](https://github.com/haxtheweb/open-apis/blob/ff694ce91442c39ae1a78dc21e9ce50546aa207a/api/services/website/cacheAddress.js#L21), [api/apps/haxcms/lib/JOSHelpers.js](https://github.com/haxtheweb/open-apis/blob/ff694ce91442c39ae1a78dc21e9ce50546aa207a/api/apps/haxcms/lib/JOSHelpers.js#L26), and [api/apps/haxcms/convert/elmslnToSite.js](https://github.com/haxtheweb/open-apis/blob/ff694ce91442c39ae1a78dc21e9ce50546aa207a/api/apps/haxcms/convert/elmslnToSite.js#L37) use similar logic to check for hard-coded site names. However, the logic only looks for the substring to be included in the user-controlled string, allowing an attacker to craft an API call and extract the credentials intended for the hard-coded domains. ### PoC Making API calls to an affected endpoint will result in credential theft. The attacker-controlled domains in these proofs of concept are `cloudflared` tunnels, protecting the production credentials from unencrypted exposure. cacheAddress.js: <img width="3404" height="1656" alt="ssrf_cred_theft" src="https://github.com/user-attachments/assets/0a87cef5-3c4d-450a-8bb7-35123d5f621b" /> elmslnToSite.js: <img width="3409" height="1641" alt="theft2" src="https://github.com/user-attachments/assets/bede82cc-a613-4fc7-bbf6-76166af784f5" /> JOSHelpers.js: <img width="3407" height="1597" alt="theft3" src="https://github.com/user-attachments/assets/4f3f8bee-443e-4b22-9d41-eb9726619d36" /> ### Impact This vulnerability allows internal data, including secrets, to be exfiltrated to an attacker-controlled domain. Credentials were confirmed with the maintainer to grant access to unreleased LMS content on subsequent systems; out of scope for PoC.