egix@karmainsecurity ~ $

Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability

• Software Link:

https://www.discuz.vip

• Affected Versions:

Version X5.0, releases 20260320 through 20260501.

• Vulnerability Description:

The vulnerable code is located within the /config/config_ucenter.php configuration file:

define('UC_KEY', $_config['security']['authkey']);

Discuz! X5.0, when installed in “standalone mode” (such as by the default configuration), initializes the UC_KEY cryptographic constant by directly copying the value of the global authkey setting.

As a result, the same cryptographic key is shared across multiple unrelated application components, including UCenter integration and the database backup/restore API exposed by the /api/db/dbbak.php script. This breaks cryptographic isolation and allows tokens produced in one context to be accepted as valid in another.

Specifically, the logging_ctl::logging_more() method — invoked during a login request when the lssubmit parameter is present — encrypts attacker-controlled input with the global authkey setting and reflects the resulting ciphertext back to the client, effectively acting as an encryption oracle. By injecting a crafted command payload through the username parameter, an unauthenticated attacker can obtain a legitimately signed token that bypasses the authorization check in /api/db/dbbak.php, gaining unauthenticated access to the database export and import functionality.

NOTE: by abusing the database export and import functionality, an attacker may be able to trigger a Race Condition that ultimately allows impersonating any user, bypassing authentication. This can be exploited in combination with other vulnerabilities (such as KIS-2026-11) to achieve unauthenticated Remote Code Execution.

• Proof of Concept:

https://karmainsecurity.com/pocs/discuz_rce.zip

• Solution:

Upgrade to release 20260510 or later.

• Disclosure Timeline:

[27/04/2026] – Vendor contacted through private messages on gitee.com, no response

[27/04/2026] – Vendor contacted via e-mail at admin@discuz.vip and security@tencent.com, no response

[07/05/2026] – Opened issue IJLFUW on https://gitee.com/Discuz/DiscuzX

[09/05/2026] – Vulnerability details shared within issue IJLFUW

[09/05/2026] – Vulnerability fixed within commit 9962dad52c4c6999dabaf91ecd70377c680ff3c6

[10/05/2026] – New fixed version (Discuz_X5.0_20260510) was released

[09/06/2026] – CVE identifier requested

[09/06/2026] – CVE identifier assigned

[13/06/2026] – Public disclosure at hackmeeting 0x1D

[15/06/2026] – Publication of this advisory

• CVE Reference:

CVE-2026-49952 has been assigned to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.