Severity: Critical (CVSS 9.3)

Affected Systems: Affected products listed by OpenCVE and the vendor advisory

Overview

Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle

A critical vulnerability identified as CVE-2026-49952 has been disclosed.

Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.

Risk

CVSS and CISA data indicate the following:

  • Review the OpenCVE and vendor advisory for exploit conditions and impact

OpenCVE Analysis

CVSS v4.0 9.3 CriticalCVSS v3.1 9.1 CriticalCVSS v3.0 N/ACVSS v2 N/AKEV noEPSS noSSVC yes

  • OpenCVE title: Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
  • Severity score: Critical (CVSS 9.3)
  • SSVC Automatable: yes
  • SSVC Exploitation: poc
  • SSVC Technical Impact: total
  • Weaknesses: CWE-323
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactNone
Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Required Action

Review the OpenCVE detail page and linked vendor advisory, then apply the vendor-provided update or mitigation for the affected product.

Prioritize systems where the affected product is internet-facing, handles authentication, or runs with elevated privileges.

Verify Updates

Confirm whether your environment uses the affected product(s): Affected products listed by OpenCVE and the vendor advisory.

After remediation, verify the installed version against the fixed or unaffected versions listed by the vendor.

Temporary Mitigation (if patch is not available)

Use the mitigation published by the vendor. If no vendor mitigation is available, reduce exposure to the affected product, restrict access to trusted users or networks, and increase monitoring until an update can be applied.

Recommendation

  • Use OpenCVE, vendor, and source references as the source of truth for affected versions and remediation
  • Patch or mitigate affected products after confirming exposure in your environment
  • Monitor affected systems for unusual activity until remediation is complete

Support

If you require assistance, please contact our support team.

Immediate action is strongly recommended to protect your infrastructure.

Source Details

Customer Responsibility and Backups

Before applying updates, mitigations, or configuration changes, customers should take and verify current backups or snapshots of affected systems.

Customers are responsible for managing their servers, validating their own backups, testing changes, and ensuring they can restore services if an update or mitigation causes an issue.



Tuesday, June 16, 2026

« Back