EUVD-2026-18354
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode() method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated time-based claims (exp, nbf, iat) using the StrictValidAt constraint. The SignedWith constraint was not included in the validation step. This means an attacker could forge or tamper with JWT token payloads - such as modifying the user_uuid claim - and the token would be accepted as valid, as long as the time-based claims were satisfied. This directly impacts the SSO authentication flow (LoginController::authorizeToken), allowing an attacker to authenticate as any user by crafting a token with an arbitrary user_uuid. This issue has been patched in version 4.5.1.
Analysis
JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to forge authentication tokens and impersonate any user account. The JWTService::decode() method validates only time-based claims while ignoring cryptographic signatures, enabling complete authentication bypass in the SSO flow by crafting tokens with arbitrary user_uuid values. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all ConvoyPanel deployments and document current versions in use; isolate or restrict network access to ConveyPanel instances from untrusted networks if feasible. Within 7 days: Contact Convoy Labs for emergency patch availability and timeline; implement network segmentation to limit ConvoyPanel access to trusted administrative networks only; enable detailed JWT token logging if supported. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today