CVE-2026-34216
Deferred Deferred - Pending Action
Authenticated Remote Code Execution in CtrlPanel Billing Software

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-34216
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ctrlpanel ctrlpanel to 1.2.0 (exc)
ctrlpanel ctrlpanel 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated admin-level user to execute arbitrary code remotely by supplying a crafted class name, potentially leading to unauthorized access, data manipulation, or system compromise.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Executive Summary

This vulnerability exists in CtrlPanel, an open-source billing software for hosting providers, in versions 1.1.1 and earlier. The admin settings update endpoint accepts a fully qualified class name directly from user input without validating it against an allowlist. This allows an authenticated admin user to supply any class name available in the Composer autoloader, which the system then uses to instantiate objects or call static methods dynamically.

Because PHP resolves class names at runtime via the Composer autoloader, this can lead to unintended execution of constructors or magic methods (__construct, __toString, __wakeup) of arbitrary classes. This behavior can be exploited to perform authenticated Remote Code Execution (RCE) through PHP object injection or gadget chains.

The issue was fixed in version 1.2.0 by adding proper validation to ensure only legitimate settings classes are instantiated.

Impact Analysis

If you are using CtrlPanel version 1.1.1 or earlier, an authenticated admin user could exploit this vulnerability to execute arbitrary code on the server. This could lead to full system compromise, unauthorized data access, data modification, or service disruption.

Because the vulnerability requires admin-level authentication, the risk is limited to users with such privileges, but the impact remains severe due to the potential for remote code execution.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade CtrlPanel to version 1.2.0 or later, where the issue has been fixed.

This update ensures that the admin settings update endpoint no longer accepts arbitrary class names without validation, preventing authenticated Remote Code Execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart