Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.
AnalysisAI
Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
CtrlPanel is a Laravel-based open-source billing and user portal for hosting providers, commonly fronting Pterodactyl game-server panels. The flaw is a classic CWE-284 (Improper Access Control) pattern in which authorization is enforced at the GET/edit/create routes but not on the corresponding POST/PATCH state-changing handlers. Affected controllers explicitly named in the advisory are ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, VoucherController (missing checks on both store() and update()), and ProductController, ServerController, UserController (missing checks on update() and related state-change actions such as change_owner, change_identifier, change_email, change_credits, change_password, change_role, change_ptero, change_serverlimit). ActivityLogController additionally shipped empty stub store()/update() methods that silently accepted requests, and the logBackIn() flow lacked the login_as permission gate, enabling interference with admin impersonation sessions.
RemediationAI
Vendor-released patch: upgrade to CtrlPanel 1.2.0 or later, available at https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 per advisory GHSA-pxmw-gj52-9p68. Until the upgrade is applied, operators should disable open user self-registration so that only trusted accounts can authenticate (this blocks reachability but breaks the normal customer signup flow), restrict access to the /admin/* API routes at the reverse proxy or WAF to known admin IP ranges (this protects the write endpoints but will also block legitimate admin work from other networks), and audit ActivityLog, Coupon, Voucher, Partner, ShopProduct, User, and Server tables for unauthorized rows or modifications before opening the portal again. Note that route-level proxy blocking is a coarse mitigation: the vulnerable endpoints share URL prefixes with legitimate read endpoints, so verify allow/deny rules carefully to avoid breaking the admin UI.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30993