DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2RHW-GW3F-477J: GHSA-2RHW-GW3F-477J: Predictable HostGUID Assignment in DNN Platform New Installations

#security #cve #cybersecurity #ghsa

GHSA-2RHW-GW3F-477J: Predictable HostGUID Assignment in DNN Platform New Installations

Vulnerability ID: GHSA-2RHW-GW3F-477J
CVSS Score: 7.5
Published: 2026-04-10

The DNN (DotNetNuke) platform fails to generate a unique HostGUID for new installations starting from version 10.0.0. This flaw results in all newly deployed instances sharing a static, hardcoded GUID. This compromises platform-wide security mechanisms that rely on this identifier for cryptographic entropy, uniqueness, and cross-tenant isolation.

TL;DR

DNN versions 10.0.0 through 10.2.1 assign a static, shared HostGUID to all new installations. This undermines cryptographic operations relying on the GUID as a salt or seed. Upgrading to version 10.2.2 resolves the installation issue, though existing vulnerable deployments require manual database remediation.

Technical Details

  • CWE ID: CWE-331 (Insufficient Entropy)
  • Attack Vector: Network / Offline
  • Impact: Cryptographic Weakness, Predictable Identifiers
  • Exploit Status: No Active Exploitation Known
  • Affected Component: Installer Templates / HostSettings Database
  • Fix Version: DNN Platform 10.2.2

Affected Systems

  • DNN (DotNetNuke) Platform
  • DotNetNuke.Core NuGet Package
  • Dnn.Platform NuGet Package
  • DNN Platform: >= 10.0.0, < 10.2.2 (Fixed in: 10.2.2)

Mitigation Strategies

  • Upgrade DNN Platform to version 10.2.2 or later for all new installations.
  • Manually rotate the HostGUID in the database for instances initially deployed on versions 10.0.0 through 10.2.1.
  • Regenerate machine keys and enforce password resets after rotating the HostGUID.

Remediation Steps:

  1. Execute SELECT SettingValue FROM HostSettings WHERE SettingName = 'HostGUID' to check the current GUID.
  2. Create a full backup of the DNN database and filesystem.
  3. Apply the DNN Platform 10.2.2 update.
  4. If the instance was vulnerable, execute an UPDATE query to write a newly generated GUID into the HostSettings table.
  5. Recycle the IIS Application Pool.
  6. Invalidate active user sessions and regenerate platform machine keys.

References

Read the full report for GHSA-2RHW-GW3F-477J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)