Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. The affected admin controllers define datatable() methods that are reachable via GET requests but lack any permission or role verification. Because the routes fall under the /admin/ prefix, operators may assume they are protected - however, the middleware applied to this route group does not enforce admin-level authorization on these specific endpoints. As a result, any authenticated user (regardless of role) can query these endpoints and receive paginated JSON responses containing sensitive records. Exploitation can result in enumeration of user PII, payment and transaction records, active voucher and coupon codes, role and permission structure, server ownership mappings and support ticket contents. This issue has been fixed in version 1.2.0.
AnalysisAI
CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.
Technical ContextAI
CtrlPanel is a Laravel-based open-source billing and management panel for hosting providers (CPE: cpe:2.3:a:ctrlpanel-gg:panel:*:*:*:*:*:*:*:*). The vulnerability is rooted in CWE-284 (Improper Access Control): Laravel route groups can apply middleware at the group level, but individual controller methods within that group are not automatically covered by admin-role guards unless explicitly applied. The affected admin controllers implement datatable() methods accessible via HTTP GET - a common pattern for server-side DataTable AJAX responses - without attaching any middleware or policy check that verifies the requesting user holds an administrative role. Because the /admin/ URL prefix visually implies access restriction, operators likely assumed these endpoints were protected, masking the misconfiguration. The result is that role-agnostic authenticated sessions can query paginated JSON payloads directly from admin data sources.
RemediationAI
Vendor-released patch: version 1.2.0. Operators should upgrade to CtrlPanel 1.2.0 immediately, available at https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0. The release notes confirm this version includes security patches alongside a substantial set of bug fixes. If an immediate upgrade is not feasible, a compensating control is to restrict network-level access to all /admin/* routes to trusted IP ranges or authenticated admin sessions using a reverse proxy (e.g., nginx allow/deny rules) - this prevents general user accounts from reaching the endpoint even if the application layer does not enforce role checks. Note that this workaround requires careful proxy configuration and does not fix the underlying code flaw; it should be treated as temporary. Review the full security advisory at https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-mj5g-j7fq-7hc4 for additional guidance.
Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.3.24. Rate
JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to for
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Softwa
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eliz Software Pane
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exist
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Softwa
Kirby is a CMS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. T
Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrar
Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and m
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Rated high severity (CVSS 8.
Pterodactyl before 0.7.14 with 2FA allows credential sniffing. Rated high severity (CVSS 7.5), this vulnerability is rem
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30985