Executive Summary

CVE-2026-43633 is a critical deserialization vulnerability in HestiaCP versions 1.9.0 through 1.9.4, specifically in the web terminal component. It arises due to a session format mismatch between PHP and Node.js, where PHP processes session data differently than Node.js. An unauthenticated remote attacker can inject crafted data into HTTP headers, which PHP accepts but Node.js incorrectly deserializes as trusted session values. This flaw allows the attacker to execute arbitrary commands with root privileges on systems that have the web terminal feature enabled.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated remote attackers to achieve root-level remote code execution on affected systems. This means attackers can run arbitrary commands with the highest privileges, potentially taking full control of the server, accessing sensitive data, modifying or deleting files, installing malware, or disrupting services. The vulnerability is especially dangerous because it requires no authentication and exploits the web terminal feature, which if enabled, exposes the system to these risks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in HestiaCP allows unauthenticated remote attackers to achieve root-level code execution via a deserialization flaw in the web terminal component. This can lead to arbitrary command execution on affected systems.

Such a critical security flaw can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system access controls. Unauthorized root-level access could lead to data breaches, unauthorized data manipulation, and loss of system integrity, all of which are violations of these regulations.

Therefore, organizations using vulnerable versions of HestiaCP without mitigation or patching risk non-compliance due to potential unauthorized access and data compromise.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your HestiaCP installation is running a vulnerable version (1.9.0 through 1.9.4) with the web terminal feature enabled.

Since the vulnerability is exploited via crafted HTTP headers processed by the PHP session handler and deserialized by the Node.js web terminal component, monitoring HTTP requests for unusual or suspicious headers targeting the web terminal endpoint can help detect exploitation attempts.

Additionally, checking if port 8083 (default port for HestiaCP web terminal) is accessible externally can indicate exposure.

• Use network scanning tools like nmap to check if port 8083 is open: nmap -p 8083 <target-ip>
• Inspect web server logs for unusual HTTP headers or requests to the web terminal endpoint.
• Use tools like curl to send crafted HTTP requests with suspicious headers to test if the web terminal is vulnerable (only in a controlled environment): curl -v -H "X-Custom-Header: <malicious-payload>" https://<target-ip>:8083/

No specific detection commands are provided in the available resources, but focusing on the presence of the vulnerable versions, enabled web terminal feature, and monitoring access to port 8083 are key indicators.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling the web terminal feature and restricting access to the port used by the web terminal.

• Disable the web terminal using the command: v-delete-sys-web-terminal
• Restrict access to port 8083 (default web terminal port) by applying firewall rules to block external access.

Applying these mitigations reduces the attack surface until an official patched release is available.

A patch addressing the vulnerability has been merged into the main branch of the HestiaCP project, but no official release has been issued as of May 19, 2026.

Useful 0 Not Useful 0