CVE-2026-35185
Published: 06 April 2026
Summary
CVE-2026-35185 is a high-severity Improper Access Control (CWE-284) vulnerability in Psu Haxiam. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-14 mandates protections for publicly accessible interfaces including authorization verification and restrictions on sensitive information exposure, directly preventing unauthenticated access to the /server-status endpoint.
AC-3 requires enforcement of approved access authorizations to system resources, blocking unauthenticated queries to the sensitive /server-status endpoint.
CM-6 enforces secure configuration settings that restrict public access to administrative endpoints like /server-status, aligning with the vulnerability fix in version 25.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Publicly accessible /server-status endpoint without auth in public-facing app directly enables T1190 (exploiting public-facing application for initial access/info disclosure), T1552 (harvesting exposed authentication tokens as unsecured credentials), and T1082 (obtaining server configuration and infrastructure details).
NVD Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any…
more
unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.
Deeper analysisAI
CVE-2026-35185 affects HAX CMS, a platform for managing microsites with PHP or Node.js backends, in versions prior to 25.0.0. The vulnerability stems from the /server-status endpoint being publicly accessible without authentication, which exposes sensitive information such as authentication tokens (user_token), real-time user activity, client IP addresses, and server configuration details. Rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and associated with CWEs-284 (Improper Access Control), CWE-522 (Insufficiently Protected Credentials), and CWE-532 (Information Exposure Through Log Files), it enables unauthorized information disclosure.
Any unauthenticated attacker with network access can exploit this vulnerability by simply querying the /server-status endpoint, requiring no privileges, user interaction, or special conditions. Successful exploitation allows the attacker to monitor live user interactions across the platform and harvest internal infrastructure details, potentially facilitating further attacks like token replay, targeted phishing, or reconnaissance for lateral movement.
The GitHub security advisory (GHSA-3676-wj6r-hwh7) confirms the issue is resolved in HAX CMS version 25.0.0, where the endpoint is no longer publicly accessible. Security practitioners should prioritize upgrading to this version or later and review access logs for anomalous /server-status requests to detect prior exploitation.
Details
- CWE(s)