External risk intelligence

Discuz! X5.0 Authentication Bypass via Database Backup API

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49952

Discuz! X5.0 has an authentication bypass vulnerability in its database backup API that allows unauthenticated attackers to access sensitive backup and restore functions. This could lead to unauthorized data access and user impersonation. It is critical to confirm if this affects any hosted community sites.

5Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-49952

The vulnerability affects Discuz! X, a widely deployed internet-facing forum and community web application. The affected component, dbbak.php, is part of the public web interface, making this endpoint inherently exposed to the internet in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-49952

Yes

CVE-2026-49952 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to bypass authentication and access sensitive database functions. Exploiting this could impact systems handling cardholder data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical security flaw in Discuz! X5.0, a widely used forum and community platform, which allows unauthorized remote attackers to bypass authentication and access sensitive database backup and restore functions. The vulnerability exploits a weakness in how cryptographic keys are shared between system components, potentially enabling attackers to gain control over database operations and impersonate users.

Unauthenticated attackers can access database backups.
This impacts community platforms and their data integrity.
Confirm relevance and scope for our hosted community sites.

Attack Path

How an attacker could exploit the issue

An attacker can bypass authentication by exploiting a weakness in how Discuz! X handles cryptographic keys used for database backups. By sending a specially crafted request during the login process, an attacker can trick the system into signing a token that grants them unauthorized access to database backup and restore functions. This can lead to data exfiltration, manipulation, and potentially the ability to impersonate other users.

No prior authentication required.
Crafted username parameter bypasses authorization.
Unauthorized access to database backups.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to bypass authentication and gain unauthorized access to sensitive database backup and restore functionality. This could occur when a crafted payload is injected through the username parameter, exploiting an encryption oracle to obtain a signed token. The attacker could then use this token to perform database export and import operations.

Database backup and restore data.
Via crafted username injection.
Unauthorized access to site data.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability likely impacts application owners and potentially platform or infrastructure teams responsible for managing the Discuz! X deployment. The first actionable step is to identify all instances of the affected Discuz! X software, determine their internet reachability and business criticality, and then confirm the accountable owner for each instance to prioritize remediation efforts.

Identify affected instances and owners.
Verify internet exposure and business criticality.
Plan vendor coordination or remediation.

Frequently asked questions

What is Discuz! X5.0?

Discuz! X5.0 is a popular web-based community platform used to host forums and interactive message boards. It includes specialized modules for administrative tasks, such as database management, which are designed to allow site owners to perform backups and restores directly through the application's interface.

What does CVE-2026-49952 mean in simple terms?

This vulnerability, classified as CWE-323: Misuse of a Cryptographic Key, occurs when different parts of a system accidentally share the same secret key. In Discuz! X5.0, an attacker can exploit this shared key to trick the system into creating a valid security token. This allows them to bypass the login requirement and gain unauthorized access to sensitive database functions, such as exporting or importing site data.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted username parameter during the login process. This payload forces the application to act as an encryption oracle, signing a token that the attacker can then use to bypass authorization. Simply accessing the site normally or logging in with valid credentials does not trigger this flaw; it requires the specific, malicious input designed to abuse the underlying cryptographic design.

Is my Discuz! X5.0 installation at risk?

If you run Discuz! X5.0, your installation is at risk if it is internet-facing. According to Halo Surface Signal, the vulnerable component, dbbak.php, is part of the public web interface, meaning it is inherently exposed to the internet in standard deployments. Installations that are kept on internal, private networks without public access have a lower immediate risk profile but should still be reviewed.

How should I respond to this threat?

Start by identifying all instances of Discuz! X5.0 across your environment to determine which are internet-facing versus internal. Once you have an inventory, confirm the business criticality of each site. Coordinate with your platform teams to prioritize these instances for updates or temporary service restriction while you seek the official patch from the software vendor.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.