What is the CVSS score of EUVD-2026-18354?

EUVD-2026-18354 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Panel are affected by EUVD-2026-18354?

ConveyPanel versions 3.9.0-beta through 4.5.0 contain a critical JWT signature verification bypass that allows unauthenticated attackers to forge authentication tokens and impersonate any user,…. A patch is available.

How to fix or mitigate EUVD-2026-18354?

Within 24 hours: Identify all instances of ConveyPanel in use and confirm current version via admin console or API. Within 7 days: Upgrade to ConveyPanel 4.5.1 or later (patch available per vendor advisory); if immediate upgrade is not feasible, implement network segmentation to restrict access to ConveyPanel admin interfaces to trusted IP ranges only. Within 30 days: Conduct a comprehensive audit of JWT token generation and validation logic; review authentication logs for suspicious token usage patterns during the vulnerability window; reset all user session tokens to invalidate any potentially forged credentials.

Panel EUVD-2026-18354

| CVE-2026-33746 CRITICAL

Improper Authentication (CWE-287)

2026-04-02 GitHub_M

Authentication Bypass Panel

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 17:52 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:47 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

4.5.1

EUVD ID Assigned

Apr 02, 2026 - 16:00 euvd

EUVD-2026-18354

Analysis Generated

Apr 02, 2026 - 16:00 vuln.today

CVE Published

Apr 02, 2026 - 15:06 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode() method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated time-based claims (exp, nbf, iat) using the StrictValidAt constraint. The SignedWith constraint was not included in the validation step. This means an attacker could forge or tamper with JWT token payloads - such as modifying the user_uuid claim - and the token would be accepted as valid, as long as the time-based claims were satisfied. This directly impacts the SSO authentication flow (LoginController::authorizeToken), allowing an attacker to authenticate as any user by crafting a token with an arbitrary user_uuid. This issue has been patched in version 4.5.1.

AnalysisAI

JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to forge authentication tokens and impersonate any user account. The JWTService::decode() method validates only time-based claims while ignoring cryptographic signatures, enabling complete authentication bypass in the SSO flow by crafting tokens with arbitrary user_uuid values. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft forged JWT token with modified user_uuid claim

Delivery

Send token in request to Convoy API

Exploit

Bypass signature verification in JWTService::decode()

Execution

Gain unauthorized access as different user

Impact

Execute administrative actions or access sensitive data

Access

Craft forged JWT token with modified user_uuid claim

Delivery

Send token in request to Convoy API

Exploit

Bypass signature verification in JWTService::decode()

Execution

Gain unauthorized access as different user

Impact

Execute administrative actions or access sensitive data

Vulnerability AssessmentAI

Exploitation	Convoy versions 3.9.0-beta through 4.5.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This represents a critical authentication bypass with severe real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker identifies a ConvoyPanel installation running version 4.5.0 or earlier. By examining legitimate JWT tokens or referencing the public security advisory, the attacker crafts a forged JWT with an arbitrary user_uuid claim corresponding to an administrator account, setting valid exp/nbf/iat timestamps to satisfy time-based constraints. …
Remediation	Vendor-released patch: version 4.5.1 resolves this vulnerability by implementing proper JWT signature verification in the JWTService::decode() method. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of ConveyPanel in use and confirm current version via admin console or API. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-18354 vulnerability details – vuln.today

Back

Panel EUVD-2026-18354

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code