CVE-2026-34358
Broken Access Control in CtrlPanel Billing Software
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ctrlpanel | ctrlpanel | to 1.2.0 (exc) |
| ctrlpanel | ctrlpanel | 1.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CtrlPanel, an open-source billing software for hosting providers, in versions 1.1.1 and earlier. It is a broken access control issue where multiple admin controllers properly check permissions when displaying forms but fail to enforce the same checks on the corresponding write methods (such as store() and update()). This allows any authenticated user to bypass role-based access control (RBAC) by sending direct POST or PATCH requests.
Specifically, several controllers lack permission checks on their write methods, enabling an attacker without admin write privileges to perform unauthorized actions like issuing API credentials, generating unlimited coupons and vouchers, assigning partner commissions and discounts, altering product pricing and limits, reassigning server ownership or identifiers, and modifying user accounts including roles, credits, passwords, and linked IDs. This can lead to full privilege escalation and abuse of admin impersonation sessions.
The issue was fixed in version 1.2.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if you use CtrlPanel versions 1.1.1 or earlier. An authenticated attacker without proper admin privileges can exploit the broken access control to escalate their privileges fully.
- Issue API credentials without authorization.
- Generate unlimited coupons and vouchers, potentially causing financial loss.
- Assign arbitrary partner commissions and discount rates, affecting revenue.
- Alter shop product pricing and limits, disrupting business operations.
- Reassign server ownership or identifiers, compromising server management.
- Modify user accounts including roles, credits, passwords, and linked IDs, leading to full privilege escalation.
- Abuse admin impersonation sessions without proper permissions.
Overall, this can lead to unauthorized access, financial damage, and loss of control over the system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in CtrlPanel version 1.2.0. The immediate step to mitigate this vulnerability is to upgrade CtrlPanel to version 1.2.0 or later.
Until the upgrade can be performed, restrict access to the affected admin controllers and ensure that only trusted authenticated users have access to the system to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to bypass role-based access control (RBAC) and perform unauthorized administrative actions such as modifying user accounts, altering pricing, and escalating privileges. This can lead to unauthorized access and modification of sensitive data.
Such unauthorized access and privilege escalation could potentially result in violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.
However, the provided information does not explicitly state the impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized POST or PATCH requests to admin write endpoints that should enforce RBAC but do not. Specifically, look for requests to endpoints related to store(), update(), or other write methods in controllers such as ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, VoucherController, ProductController, ServerController, UserController, and ActivityLogController.
You can use network monitoring tools or web server logs to identify suspicious direct POST or PATCH requests to these endpoints from authenticated users without admin write privileges.
Example commands to detect such activity might include:
- Using grep on web server logs to find POST or PATCH requests to admin write endpoints: grep -E 'POST|PATCH' /var/log/nginx/access.log | grep -E '/api/(store|update|write|change_owner|change_email|change_password|change_role|logBackIn)'
- Using curl to test if write endpoints accept requests without proper authorization: curl -X POST -b 'auth_cookie=non_admin_user' https://your-ctrlpanel-domain/api/coupons/store -d '{"coupon_code":"TEST"}' -v
- Using tools like Burp Suite or OWASP ZAP to intercept and modify authenticated requests to write endpoints to check if permission checks are enforced.