CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC Implementation

May 19, 2026

The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

References

github.com/advisories/GHSA-6c8g-9hfh-pq5h
github.com/haxtheweb/issues/security/advisories/GHSA-6c8g-9hfh-pq5h
nvd.nist.gov/vuln/detail/CVE-2026-46395

Code Behaviors & Features

Detect and mitigate CVE-2026-46395 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →