Skip to main content

1Panel CVE-2025-34410

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-10 disclosure@vulncheck.com
7.0
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network CSRF needing victim's authenticated session and page visit gives UI:R and PR:N; username change is I:L, resulting lockout is A:H, no data exposure so C:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 23:32 vuln.today
CVE Published
Dec 10, 2025 - 16:16 cve.org
HIGH 7.0

DescriptionCVE.org

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.

AnalysisAI

Account lockout denial-of-service in 1Panel (versions 1.10.33 through 2.0.15) allows a remote attacker to forcibly change an authenticated victim's username via a cross-site request forgery flaw in the Change Username endpoint at /settings/panel. Because the endpoint lacks anti-CSRF tokens and Origin/Referer validation, a victim who visits a malicious page while logged in unknowingly submits a username change with valid session cookies, after which they are logged out and locked out of their account. No public exploit identified at time of analysis; disclosed via a VulnCheck advisory with no CISA KEV listing and no EPSS data supplied.

Technical ContextAI

1Panel (CPE cpe:2.3:a:fit2cloud:1panel) is an open-source Linux server management control panel developed by FIT2CLOUD, providing web-based administration of hosts, containers, websites, and databases. The root cause is CWE-352 (Cross-Site Request Forgery): the /settings/panel Change Username handler relies solely on ambient session cookies for authorization and performs no unforgeable request verification. Modern browsers automatically attach session cookies to cross-origin form submissions, so a state-changing POST originating from an attacker-controlled page is processed as if the victim intended it. The absence of both a synchronizer (anti-CSRF) token and any Origin/Referer header check means there is no server-side signal to distinguish a forged request from a legitimate one.

RemediationAI

No exact vendor-released patch version is identified in the provided data; consult the 1Panel release page (https://github.com/1Panel-dev/1Panel/releases) for a version newer than 2.0.15 and upgrade to it once confirmed fixed, and review the VulnCheck advisory (https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout) for the authoritative fix reference. Until a patched build is applied, restrict network access to the 1Panel management interface so it is reachable only from a trusted VPN or management subnet rather than the public internet, which prevents an attacker from driving requests to the endpoint (trade-off: administrators must connect through the restricted path). Additionally, advise administrators not to browse untrusted sites in the same browser session where they are logged into 1Panel, and consider terminating panel sessions when unattended to shrink the window in which a forged request can succeed; browser-side controls such as strict SameSite cookie behavior also reduce cross-site cookie attachment but should be verified against your deployment.

More in 1panel

View all
CVE-2024-39911 CRITICAL POC
9.8 Jul 18

1Panel is a web-based linux server management control panel. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2024-39907 CRITICAL POC
9.8 Jul 18

1Panel is a web-based linux server management control panel. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2024-2352 CRITICAL POC
9.8 Mar 10

A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Rated critical severity (C

CVE-2023-39966 CRITICAL POC
9.8 Aug 10

1Panel is an open source Linux server operation and maintenance management panel. Rated critical severity (CVSS 9.8), th

CVE-2023-37477 HIGH POC
8.8 Jul 18

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v

CVE-2023-36458 HIGH POC
8.8 Jul 05

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v

CVE-2023-36457 HIGH POC
8.8 Jul 05

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v

CVE-2024-34352 HIGH POC
7.5 May 14

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v

CVE-2023-39964 HIGH POC
7.5 Aug 10

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v

CVE-2023-39965 MEDIUM POC
4.3 Aug 10

1Panel is an open source Linux server operation and maintenance management panel. Rated medium severity (CVSS 4.3), this

CVE-2024-24768 HIGH
7.5 Feb 05

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v

CVE-2024-27288 LOW POC
3.1 Mar 06

1Panel is an open source Linux server operation and maintenance management panel. Rated low severity (CVSS 3.1), this vu

Share

CVE-2025-34410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy