# [CRIT] [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC Implementation

**Source:** GitHub Security Advisories
**Published:** 2026-05-19
**Article:** https://github.com/advisories/GHSA-6c8g-9hfh-pq5h

## Threat Profile

HAXcms: Private Key Disclosure via Broken HMAC Implementation

### Summary
The `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

### Details
Bug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string "0"…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-46395`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1552.001** — Unsecured Credentials: Credentials In Files
- **T1606.001** — Forge Web Credentials: Web Cookies
- **T1078** — Valid Accounts

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### HAXcms CVE-2026-46395: unauthenticated GET to /system/api/connectionSettings

`UC_261_2` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_user_agent) as user_agents values(Web.dest) as dest values(Web.status) as status from datamodel=Web.Web where Web.http_method="GET" Web.url="*/system/api/connectionSettings*" by Web.src Web.dest | `drop_dm_object_name(Web)` | rename src as src_ip | where status>=200 AND status<300 | sort -firstTime
```

### HAXcms CVE-2026-46395: forged-JWT admin write within 30m of connectionSettings leak

`UC_261_3` · phase: **actions** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as leakTime from datamodel=Web.Web where Web.http_method="GET" Web.url="*/system/api/connectionSettings*" Web.status>=200 Web.status<300 by Web.src Web.dest | `drop_dm_object_name(Web)` | rename src as leak_src dest as leak_dest | join type=inner leak_src leak_dest [| tstats `summariesonly` count min(_time) as writeTime values(Web.url) as urls values(Web.http_method) as methods from datamodel=Web.Web where (Web.http_method="POST" OR Web.http_method="PUT" OR Web.http_method="DELETE" OR Web.http_method="PATCH") (Web.url="*/system/api/saveOutline*" OR Web.url="*/system/api/saveManifest*" OR Web.url="*/system/api/saveNode*" OR Web.url="*/system/api/createSite*" OR Web.url="*/system/api/deleteSite*" OR Web.url="*/system/api/saveFile*" OR Web.url="*/system/api/saveUser*") Web.status>=200 Web.status<300 by Web.src Web.dest | `drop_dm_object_name(Web)` | rename src as leak_src dest as leak_dest] | eval delaySec=writeTime-leakTime | where delaySec>=0 AND delaySec<=1800 | table leakTime writeTime delaySec leak_src leak_dest urls methods | sort -leakTime
```

**Defender KQL:**
```kql
// HAXcms is a Node.js web app — the JWT/Authorization header signal lives on the web tier (AppServiceHTTPLogs / W3CIISLog), not in DeviceProcessEvents.
// On hosts that run HAXcms AND are enrolled in Defender, this query approximates the post-exploit chain by joining
// outbound DNS lookups from the suspected attacker host to HAXcms domains with subsequent file modifications under
// HAXcms content roots performed by the local node.exe.
let WindowMinutes = 30m;
let HaxcmsHostHints = dynamic(["haxcms","haxtheweb"]);
let NetTouch = DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteUrl has_any (HaxcmsHostHints) or InitiatingProcessFileName =~ "node.exe"
    | where ActionType in ("ConnectionSuccess","ConnectionAttempt","HttpConnectionInspected")
    | project NetTime = Timestamp, DeviceId, DeviceName, RemoteUrl, RemoteIP,
              InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
DeviceFileEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "node.exe"
| where FolderPath has_any ("\\haxcms\\","/haxcms/","\\_sites\\","/_sites/","site.json","manifest.json")
| where ActionType in ("FileCreated","FileModified","FileRenamed")
| join kind=inner NetTouch on DeviceId
| where Timestamp between (NetTime .. NetTime + WindowMinutes)
| extend DelaySec = datetime_diff('second', Timestamp, NetTime)
| project NetTime, FileWriteTime = Timestamp, DelaySec, DeviceName, RemoteUrl, RemoteIP,
          FileName, FolderPath, InitiatingProcessAccountName,
          InitiatingProcessCommandLine
| order by NetTime desc
```

### HAXcms CVE-2026-46395: vulnerable @haxtheweb/haxcms-nodejs <= 25.0.0 present

`UC_261_4` · phase: **weapon** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.cve="CVE-2026-46395" OR (Vulnerabilities.signature="*haxcms*")) by Vulnerabilities.dest Vulnerabilities.cve Vulnerabilities.signature Vulnerabilities.severity | `drop_dm_object_name(Vulnerabilities)` | sort -lastTime
```

**Defender KQL:**
```kql
DeviceTvmSoftwareVulnerabilities
| where Timestamp > ago(7d)
| where CveId =~ "CVE-2026-46395"
   or (SoftwareName has_any ("haxcms","haxtheweb","haxcms-nodejs") and SoftwareVendor has_any ("haxtheweb","penn state","the pennsylvania state university"))
| project Timestamp, DeviceId, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion,
          CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, AffectedSoftwareSku
| order by Timestamp desc
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC

`UC_261_1` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC ```
| tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where (Processes.process_name IN ("node.js"))
    by Processes.dest, Processes.user, Processes.process_name,
       Processes.process, Processes.parent_process_name, Processes.process_path
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| append [
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_name IN ("node.js"))
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
]
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName in~ ("node.js"))
| project Timestamp, DeviceName, AccountName, FileName,
          FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FileName in~ ("node.js"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-46395`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.