CVE-2026-34358
Deferred Deferred - Pending Action
Broken Access Control in CtrlPanel Billing Software

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-34358
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ctrlpanel ctrlpanel to 1.2.0 (exc)
ctrlpanel ctrlpanel 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in CtrlPanel, an open-source billing software for hosting providers, in versions 1.1.1 and earlier. It is a broken access control issue where multiple admin controllers properly check permissions when displaying forms but fail to enforce the same checks on the corresponding write methods (such as store() and update()). This allows any authenticated user to bypass role-based access control (RBAC) by sending direct POST or PATCH requests.

Specifically, several controllers lack permission checks on their write methods, enabling an attacker without admin write privileges to perform unauthorized actions like issuing API credentials, generating unlimited coupons and vouchers, assigning partner commissions and discounts, altering product pricing and limits, reassigning server ownership or identifiers, and modifying user accounts including roles, credits, passwords, and linked IDs. This can lead to full privilege escalation and abuse of admin impersonation sessions.

The issue was fixed in version 1.2.0.

Impact Analysis

This vulnerability can have severe impacts if you use CtrlPanel versions 1.1.1 or earlier. An authenticated attacker without proper admin privileges can exploit the broken access control to escalate their privileges fully.

  • Issue API credentials without authorization.
  • Generate unlimited coupons and vouchers, potentially causing financial loss.
  • Assign arbitrary partner commissions and discount rates, affecting revenue.
  • Alter shop product pricing and limits, disrupting business operations.
  • Reassign server ownership or identifiers, compromising server management.
  • Modify user accounts including roles, credits, passwords, and linked IDs, leading to full privilege escalation.
  • Abuse admin impersonation sessions without proper permissions.

Overall, this can lead to unauthorized access, financial damage, and loss of control over the system.

Mitigation Strategies

The vulnerability is fixed in CtrlPanel version 1.2.0. The immediate step to mitigate this vulnerability is to upgrade CtrlPanel to version 1.2.0 or later.

Until the upgrade can be performed, restrict access to the affected admin controllers and ensure that only trusted authenticated users have access to the system to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows authenticated users to bypass role-based access control (RBAC) and perform unauthorized administrative actions such as modifying user accounts, altering pricing, and escalating privileges. This can lead to unauthorized access and modification of sensitive data.

Such unauthorized access and privilege escalation could potentially result in violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized POST or PATCH requests to admin write endpoints that should enforce RBAC but do not. Specifically, look for requests to endpoints related to store(), update(), or other write methods in controllers such as ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, VoucherController, ProductController, ServerController, UserController, and ActivityLogController.

You can use network monitoring tools or web server logs to identify suspicious direct POST or PATCH requests to these endpoints from authenticated users without admin write privileges.

Example commands to detect such activity might include:

  • Using grep on web server logs to find POST or PATCH requests to admin write endpoints: grep -E 'POST|PATCH' /var/log/nginx/access.log | grep -E '/api/(store|update|write|change_owner|change_email|change_password|change_role|logBackIn)'
  • Using curl to test if write endpoints accept requests without proper authorization: curl -X POST -b 'auth_cookie=non_admin_user' https://your-ctrlpanel-domain/api/coupons/store -d '{"coupon_code":"TEST"}' -v
  • Using tools like Burp Suite or OWASP ZAP to intercept and modify authenticated requests to write endpoints to check if permission checks are enforced.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart