CVE-2026-12196
Received Received - Intake

Broken Access Control in HestiaCP Panel Cronjob

Vulnerability report for CVE-2026-12196, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a

Description

HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hestiacp hestiacp From 2026-06-23 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized modifications to HestiaCP panel cron jobs, especially those created or modified by low-privileged users. Since the exploit involves creating cron jobs that execute scripts with passwordless sudo, checking for unusual or unexpected cron jobs running under the HestiaCP user or related system users is recommended.

You can use commands to list cron jobs and inspect them for suspicious entries. For example:

  • List cron jobs for the current user: crontab -l
  • List cron jobs for all users: sudo cat /etc/crontab and sudo ls /etc/cron.d/
  • Check for recently modified cron files: sudo find /etc/cron* -type f -mtime -7

Additionally, monitoring web server logs for suspicious requests that attempt to modify cron jobs or send crafted requests with low-privileged user cookies may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include applying the patch that fixes the broken authorization check and adds CSRF token verification as described in the available fix for this vulnerability.

Until an official update from HestiaCP is released, manually applying the patch from the relevant pull request or security advisory is recommended.

Additionally, restrict access to the HestiaCP panel to trusted users only, monitor and audit cron jobs regularly, and consider temporarily disabling the cronjob feature if feasible.

Ensure that low-privileged users do not have permissions to modify cron jobs or execute scripts with elevated privileges.

Compliance Impact

The vulnerability allows low-privileged users to take over administrator accounts in the HestiaCP panel, potentially leading to unauthorized access and control over sensitive system functions.

Such unauthorized access could result in breaches of data confidentiality and integrity, which are critical concerns under compliance frameworks like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory consequences.

Executive Summary

This vulnerability in HestiaCP panel involves a broken access control flaw in the cronjob feature. Low-privileged users can exploit this flaw to modify panel cronjobs, which run scripts with passwordless sudo privileges. The root cause is an improperly implemented authorization check that fails to verify admin status correctly, allowing unauthorized users to execute maintenance scripts with elevated privileges.

Specifically, the check intended to confirm admin rights fails because a variable ($ROOT_USER) is undefined, causing the condition to always evaluate as false. This enables attackers to create cron jobs that run with admin-level permissions, effectively allowing them to take over administrator accounts and the underlying webserver.

Additionally, the absence of CSRF token validation makes it easier for attackers to perform this exploit by sending crafted requests with a low-privileged user's session cookie.

Impact Analysis

This vulnerability can have severe impacts as it allows low-privileged users to escalate their privileges to full administrator access within the HestiaCP panel and the underlying webserver.

  • Attackers can modify cronjobs to execute scripts with passwordless sudo, enabling them to change admin passwords and take over admin accounts.
  • Once admin access is gained, attackers can control the application and potentially the entire server environment.
  • This can lead to unauthorized access, data breaches, service disruption, and further exploitation of the compromised system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart