1Panel
CVE-2025-34429
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote CSRF needs no attacker privileges (PR:N) but a logged-in victim must visit attacker content (UI:R); impact is availability-dominant (A:H) with minor config integrity (I:L) and no confidentiality (C:N).
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port.
AnalysisAI
Cross-site request forgery in 1Panel (versions 1.10.33 through 2.0.15) lets a remote attacker change the TCP port the web management service listens on by luring an authenticated administrator to a malicious webpage. Because the port-change endpoint has no anti-CSRF token or Origin/Referer checks, the victim's browser silently replays valid session cookies, moving the panel off its expected port and causing loss of access, denial of service, or unintended exposure on an attacker-chosen port. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially craftable given the described missing defenses.
Technical ContextAI
1Panel (vendor fit2cloud, project 1Panel-dev, CPE cpe:2.3:a:fit2cloud:1panel) is an open-source Linux server operations and management panel that exposes a web UI for administering hosts, containers, websites, and system settings. The weakness is CWE-352 (Cross-Site Request Forgery): the HTTP endpoint that reconfigures the web service listening port performs a state-changing action based solely on the presence of an authenticated session cookie, with no unpredictable per-request token and no server-side validation of the request's Origin or Referer header. Browsers automatically attach same-site session cookies to any request the panel's own domain, so a request forged by an unrelated attacker page is indistinguishable from a legitimate one to the server, allowing the sensitive configuration change to be driven cross-site.
RemediationAI
Upgrade 1Panel to a release later than 2.0.15 from https://github.com/1Panel-dev/1Panel/releases once a fixed version is published; the provided data does not name an exact patched version, so verify the fix in the release notes before deploying. Consult the VulnCheck advisory at https://www.vulncheck.com/advisories/1panel-csrf-web-port-configuration-change for authoritative details. Until a confirmed patched build is applied, reduce exposure by restricting the panel's management interface to a trusted management network or VPN and blocking direct internet access to it (trade-off: administrators lose convenient remote reach and must connect through the VPN), by having administrators log out of 1Panel when not actively using it to shrink the window in which a forged request can ride a live session, and by fronting the panel with a reverse proxy that enforces Origin/Referer validation or requires a custom header on state-changing requests (trade-off: added proxy configuration and potential breakage of legitimate automation). Browser-side isolation - using a dedicated browser or profile for the panel and not browsing other sites in it - further limits CSRF opportunity.
1Panel is a web-based linux server management control panel. Rated critical severity (CVSS 9.8), this vulnerability is r
1Panel is a web-based linux server management control panel. Rated critical severity (CVSS 9.8), this vulnerability is r
A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Rated critical severity (C
1Panel is an open source Linux server operation and maintenance management panel. Rated critical severity (CVSS 9.8), th
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 8.8), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated medium severity (CVSS 4.3), this
1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this v
1Panel is an open source Linux server operation and maintenance management panel. Rated low severity (CVSS 3.1), this vu
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today