CVE-2026-45055: CubeCart Password Reset Flaw Leads to Account Takeover

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-20cwe-345cwe-601cwe-784
CVE-2026-45055: CubeCart Password Reset Flaw Leads to Account Takeover

The National Vulnerability Database has detailed CVE-2026-45055, a critical vulnerability in CubeCart ecommerce software versions 6.6.x through 6.7.1. This flaw allows an unauthenticated attacker to hijack account password reset links by manipulating the Host request header. CubeCart, prior to version 6.7.2, constructs the CC_STORE_URL directly from this header without proper validation or an allowlist. This CC_STORE_URL is then embedded verbatim into transactional email links, most notably the password reset link.

An attacker, knowing a target’s email, can send a POST request to /index.php?_a=recover with a malicious Host header (e.g., Host: evil.com). CubeCart will then generate a valid password reset token and email a link pointing to the attacker’s controlled domain, such as http://evil.com/index.php?_a=recovery&validate=<TOKEN>. When the victim clicks this link, the attacker captures the valid token, enabling full account takeover. This is particularly dangerous if an administrator account is targeted, leading to complete store compromise.

This vulnerability, rated 8.1 (HIGH) on the CVSS scale, is a classic example of improper input validation (CWE-20, CWE-601). It highlights the critical risk of trusting client-supplied data without stringent sanitization and validation. The fix is available in CubeCart 6.7.2, which defenders must prioritize. The attacker’s calculus here is low effort for high reward: no authentication, just a crafted request and a victim’s click, leading directly to account or even store control.

What This Means For You

  • If your organization uses CubeCart, you need to immediately verify your version. If you are running CubeCart 6.6.x through 6.7.1, patch to version 6.7.2 without delay. This isn't theoretical; an unauthenticated attacker can take over accounts, including admin accounts, with a simple social engineering trick. Audit your logs for suspicious password reset requests targeting your CubeCart instance, especially those with unusual `Host` headers.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-45055: CubeCart Password Reset Host Header Manipulation

Sigma YAML — free preview 
title: CVE-2026-45055: CubeCart Password Reset Host Header Manipulation
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
  Detects the specific exploit pattern for CVE-2026-45055 by looking for POST requests to '/index.php?_a=recover' where the Host header (inferred from referer in some webserver logs) is manipulated to an attacker-controlled domain, indicating an attempt to hijack password reset links.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45055/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - '?_a=recover'
      cs-method:
          - 'POST'
      referer|contains:
          - 'evil.com'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45055 Auth Bypass CubeCart versions 6.6.x through 6.7.1
CVE-2026-45055 Auth Bypass CubeCart builds CC_STORE_URL directly from Host request header
CVE-2026-45055 Auth Bypass Vulnerable endpoint: POST /index.php?_a=recover
CVE-2026-45055 Auth Bypass Vulnerable function: User::passwordRequest() and Admin::passwordRequest()
CVE-2026-45055 Auth Bypass Fixed in CubeCart version 6.7.2

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-32991: Team Member Privilege Escalation to Owner Account

CVE-2026-32991 — Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-29206: SQL Injection in sqloptimizer via Slow Query Logs

CVE-2026-29206 — Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 7 Sigma

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma