CVE-2025-34410
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-10

Assigner: VulnCheck

Description
1Panel versions 1.10.33 -Β 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34410
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1panel 1panel 2.0.15
1panel 1panel 1.10.33
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site request forgery (CSRF) issue in 1Panel versions 1.10.33 to 2.0.15 affecting the Change Username functionality. The endpoint lacks CSRF protections like anti-CSRF tokens or Origin/Referer validation. An attacker can create a malicious webpage that, when visited by an authenticated user, submits a request to change the user's username without their consent. This causes the victim to be logged out and locked out of their account because they cannot log in with the previous username.

Impact Analysis

The vulnerability can lead to an attacker changing your 1Panel username without your consent, resulting in you being logged out and unable to log back in with your previous username. This effectively locks you out of your account, causing a denial of service.

Mitigation Strategies

To mitigate this vulnerability, immediately update 1Panel to a version later than 2.0.15 where the CSRF vulnerability is fixed. If an update is not possible, implement additional CSRF protections such as anti-CSRF tokens or Origin/Referer header validation on the Change Username endpoint. Additionally, monitor for suspicious username change requests and consider restricting access to the settings panel to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart