CVE-2026-49952

CRITICAL

Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-49952. PoCs published by passwa11.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-49952, targeting Discuz! X5.0. The exploit demonstrates a remote code execution (RCE) chain involving database export/import, race condition attacks, and admin authentication bypass to achieve a webshell.

Description

Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.

Exploits (1)

github WORKING POC

by passwa11 · poc

https://github.com/passwa11/CVE-2026-49952

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-49952, targeting Discuz! X5.0. The exploit demonstrates a remote code execution (RCE) chain involving database export/import, race condition attacks, and admin authentication bypass to achieve a webshell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Discuz! X5.0

No auth needed

Prerequisites: Pillow · torch · torchvision · access to target Discuz! instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 17, 2026 Full analysis →

References (5)

Core 5

Core References

Technical Description technical-description

https://karmainsecurity.com/KIS-2026-09

Exploit exploit

https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce

Patch patch

https://gitee.com/Discuz/DiscuzX/commit/9962dad52c4c6999dabaf91ecd70377c680ff3c6

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/discuz-x5-0-authentication-bypass-via-dbbak-php-encryption-oracle

Mailing List

http://seclists.org/fulldisclosure/2026/Jun/3

Scores

CVSS v3 9.1

EPSS 0.0036

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-323

Status published

Products (1)

Discuz!/Discuz! X5.0 20260320 - 20260501

Published Jun 15, 2026

Tracked Since Jun 16, 2026