1Panel
CVE-2025-34410
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network CSRF needing victim's authenticated session and page visit gives UI:R and PR:N; username change is I:L, resulting lockout is A:H, no data exposure so C:N.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.
AnalysisAI
Account lockout denial-of-service in 1Panel (versions 1.10.33 through 2.0.15) allows a remote attacker to forcibly change an authenticated victim's username via a cross-site request forgery flaw in the Change Username endpoint at /settings/panel. Because the endpoint lacks anti-CSRF tokens and Origin/Referer validation, a victim who visits a malicious page while logged in unknowingly submits a username change with valid session cookies, after which they are logged out and locked out of their account. No public exploit identified at time of analysis; disclosed via a VulnCheck advisory with no CISA KEV listing and no EPSS data supplied.
Technical ContextAI
1Panel (CPE cpe:2.3:a:fit2cloud:1panel) is an open-source Linux server management control panel developed by FIT2CLOUD, providing web-based administration of hosts, containers, websites, and databases. The root cause is CWE-352 (Cross-Site Request Forgery): the /settings/panel Change Username handler relies solely on ambient session cookies for authorization and performs no unforgeable request verification. Modern browsers automatically attach session cookies to cross-origin form submissions, so a state-changing POST originating from an attacker-controlled page is processed as if the victim intended it. The absence of both a synchronizer (anti-CSRF) token and any Origin/Referer header check means there is no server-side signal to distinguish a forged request from a legitimate one.
RemediationAI
No exact vendor-released patch version is identified in the provided data; consult the 1Panel release page (https://github.com/1Panel-dev/1Panel/releases) for a version newer than 2.0.15 and upgrade to it once confirmed fixed, and review the VulnCheck advisory (https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout) for the authoritative fix reference. Until a patched build is applied, restrict network access to the 1Panel management interface so it is reachable only from a trusted VPN or management subnet rather than the public internet, which prevents an attacker from driving requests to the endpoint (trade-off: administrators must connect through the restricted path). Additionally, advise administrators not to browse untrusted sites in the same browser session where they are logged into 1Panel, and consider terminating panel sessions when unattended to shrink the window in which a forged request can succeed; browser-side controls such as strict SameSite cookie behavior also reduce cross-site cookie attachment but should be verified against your deployment.
1Panel is a web-based linux server management control panel. Rated critical severity (CVSS 9.8), this vulnerability is r
1Panel is a web-based linux server management control panel. Rated critical severity (CVSS 9.8), this vulnerability is r
A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Rated critical severity (C
1Panel is an open source Linux server operation and maintenance management panel. Rated critical severity (CVSS 9.8), th
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated medium severity (CVSS 4.3), this
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated low severity (CVSS 3.1), this vu
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today