Skip to main content

CtrlPanel EUVDEUVD-2026-30993

| CVE-2026-34358 HIGH
Improper Access Control (CWE-284)
2026-05-19 security-advisories@github.com
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 19, 2026 - 23:02 EUVD
Source Code Evidence Fetched
May 19, 2026 - 22:30 vuln.today
Analysis Generated
May 19, 2026 - 22:30 vuln.today

DescriptionGitHub Advisory

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.

AnalysisAI

Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

CtrlPanel is a Laravel-based open-source billing and user portal for hosting providers, commonly fronting Pterodactyl game-server panels. The flaw is a classic CWE-284 (Improper Access Control) pattern in which authorization is enforced at the GET/edit/create routes but not on the corresponding POST/PATCH state-changing handlers. Affected controllers explicitly named in the advisory are ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, VoucherController (missing checks on both store() and update()), and ProductController, ServerController, UserController (missing checks on update() and related state-change actions such as change_owner, change_identifier, change_email, change_credits, change_password, change_role, change_ptero, change_serverlimit). ActivityLogController additionally shipped empty stub store()/update() methods that silently accepted requests, and the logBackIn() flow lacked the login_as permission gate, enabling interference with admin impersonation sessions.

RemediationAI

Vendor-released patch: upgrade to CtrlPanel 1.2.0 or later, available at https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 per advisory GHSA-pxmw-gj52-9p68. Until the upgrade is applied, operators should disable open user self-registration so that only trusted accounts can authenticate (this blocks reachability but breaks the normal customer signup flow), restrict access to the /admin/* API routes at the reverse proxy or WAF to known admin IP ranges (this protects the write endpoints but will also block legitimate admin work from other networks), and audit ActivityLog, Coupon, Voucher, Partner, ShopProduct, User, and Server tables for unauthorized rows or modifications before opening the portal again. Note that route-level proxy blocking is a coarse mitigation: the vulnerable endpoints share URL prefixes with legitimate read endpoints, so verify allow/deny rules carefully to avoid breaking the admin UI.

Share

EUVD-2026-30993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy