CVE-2026-49952: Reusing a Nonce, Key Pair in Encryption in Discuz! Discuz! X5.0
Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.
AI Analysis
Technical Summary
The vulnerability in Discuz! X5.0 (releases 20260320 through 20260501) involves reuse of a nonce and key pair in encryption between UCenter integration and the database backup API (dbbak.php). Attackers can inject payloads via the username parameter during login to exploit the encryption oracle in logging_ctl::logging_more(), obtaining legitimately signed tokens. These tokens allow bypassing authorization checks for database backup and restore functionality. The flaw also enables triggering a race condition to impersonate arbitrary users, leading to unauthorized access and control over critical database operations.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to bypass authentication and authorization controls, gaining unauthorized access to database backup and restore functionality. This can lead to unauthorized export and import of database data and potential impersonation of arbitrary users, posing a severe risk to data confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented at this time. Until a patch is available, restrict access to the affected API endpoints and monitor for suspicious activity related to database backup operations.
CVE-2026-49952: Reusing a Nonce, Key Pair in Encryption in Discuz! Discuz! X5.0
Description
Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.
CVSS v4.0
Score 9.3critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Discuz! X5.0 (releases 20260320 through 20260501) involves reuse of a nonce and key pair in encryption between UCenter integration and the database backup API (dbbak.php). Attackers can inject payloads via the username parameter during login to exploit the encryption oracle in logging_ctl::logging_more(), obtaining legitimately signed tokens. These tokens allow bypassing authorization checks for database backup and restore functionality. The flaw also enables triggering a race condition to impersonate arbitrary users, leading to unauthorized access and control over critical database operations.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to bypass authentication and authorization controls, gaining unauthorized access to database backup and restore functionality. This can lead to unauthorized export and import of database data and potential impersonation of arbitrary users, posing a severe risk to data confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented at this time. Until a patch is available, restrict access to the affected API endpoints and monitor for suspicious activity related to database backup operations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-02T16:30:15.232Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3052e10b89be688882749c
Added to database: 6/15/2026, 7:30:41 PM
Last enriched: 6/15/2026, 7:45:45 PM
Last updated: 6/16/2026, 5:46:18 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.