Skip to main content

CtrlPanel CVE-2026-34233

| EUVDEUVD-2026-30985 MEDIUM
Improper Access Control (CWE-284)
2026-05-19 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 19, 2026 - 22:02 EUVD
Source Code Evidence Fetched
May 19, 2026 - 21:16 vuln.today
Analysis Generated
May 19, 2026 - 21:16 vuln.today

DescriptionGitHub Advisory

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. The affected admin controllers define datatable() methods that are reachable via GET requests but lack any permission or role verification. Because the routes fall under the /admin/ prefix, operators may assume they are protected - however, the middleware applied to this route group does not enforce admin-level authorization on these specific endpoints. As a result, any authenticated user (regardless of role) can query these endpoints and receive paginated JSON responses containing sensitive records. Exploitation can result in enumeration of user PII, payment and transaction records, active voucher and coupon codes, role and permission structure, server ownership mappings and support ticket contents. This issue has been fixed in version 1.2.0.

AnalysisAI

CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.

Technical ContextAI

CtrlPanel is a Laravel-based open-source billing and management panel for hosting providers (CPE: cpe:2.3:a:ctrlpanel-gg:panel:*:*:*:*:*:*:*:*). The vulnerability is rooted in CWE-284 (Improper Access Control): Laravel route groups can apply middleware at the group level, but individual controller methods within that group are not automatically covered by admin-role guards unless explicitly applied. The affected admin controllers implement datatable() methods accessible via HTTP GET - a common pattern for server-side DataTable AJAX responses - without attaching any middleware or policy check that verifies the requesting user holds an administrative role. Because the /admin/ URL prefix visually implies access restriction, operators likely assumed these endpoints were protected, masking the misconfiguration. The result is that role-agnostic authenticated sessions can query paginated JSON payloads directly from admin data sources.

RemediationAI

Vendor-released patch: version 1.2.0. Operators should upgrade to CtrlPanel 1.2.0 immediately, available at https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0. The release notes confirm this version includes security patches alongside a substantial set of bug fixes. If an immediate upgrade is not feasible, a compensating control is to restrict network-level access to all /admin/* routes to trusted IP ranges or authenticated admin sessions using a reverse proxy (e.g., nginx allow/deny rules) - this prevents general user accounts from reaching the endpoint even if the application layer does not enforce role checks. Note that this workaround requires careful proxy configuration and does not fix the underlying code flaw; it should be treated as temporary. Review the full security advisory at https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-mj5g-j7fq-7hc4 for additional guidance.

More in Panel

View all
CVE-2024-5960 CRITICAL
9.8 Sep 18

Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.3.24. Rate

CVE-2026-33746 CRITICAL
9.8 Apr 02

JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to for

CVE-2024-6877 CRITICAL
9.4 Sep 18

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Softwa

CVE-2024-5958 CRITICAL
9.4 Sep 18

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eliz Software Pane

CVE-2017-16807 MEDIUM POC
5.4 Nov 13

A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exist

CVE-2024-5959 CRITICAL
9.3 Sep 18

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Softwa

CVE-2020-26255 CRITICAL
9.1 Dec 08

Kirby is a CMS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. T

CVE-2026-34241 HIGH
8.7 May 19

Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrar

CVE-2026-26016 HIGH
8.1 Feb 19

Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and m

CVE-2021-41129 HIGH
8.1 Oct 06

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Rated high severity (CVSS 8.

CVE-2019-1020002 HIGH
7.5 Jul 29

Pterodactyl before 0.7.14 with 2FA allows credential sniffing. Rated high severity (CVSS 7.5), this vulnerability is rem

CVE-2025-69198 MEDIUM
6.5 Jan 19

Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to

Share

CVE-2026-34233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy