CVE-2026-34358

Published: Mag 20, 2026 Last Modified: Mag 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.

AI Generated Translation

CtrlPanel è un software di fatturazione open-source per fornitori di hosting. Le versioni 1.1.1 e precedenti presentano una vulnerabilità di broken access control in cui più controller amministrativi applicano controlli di autorizzazione sulle funzioni di visualizzazione dei moduli, ma omettono controlli equivalenti sulle corrispondenti funzioni di scrittura, consentendo a qualsiasi utente autenticato di bypassare RBAC tramite richieste POST/PATCH dirette. I controller privi di controlli sulle funzioni di scrittura store() e update() includono ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write) e VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier) e UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) mancano di controlli solo su update(), e ActivityLogController esponeva metodi stub vuoti di store()/update() che accettavano silenziosamente qualsiasi richiesta. Un attaccante autenticato senza privilegi di scrittura admin può generare credenziali API, creare coupon e voucher illimitati, assegnare arbitrariamente commissioni e sconti ai partner, modificare prezzi e limiti dei prodotti nel negozio, riassegnare proprietà o identificativi dei server, e modificare account utente inclusi ruoli, crediti, password e ID Pterodactyl collegati, raggiungendo un escalation completa dei privilegi, oltre a abusare di logBackIn() senza il permesso login_as per interferire con le sessioni di impersonificazione admin. Questo problema è stato risolto nella versione 1.2.0.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

Single Data Point

Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.

284

Improper Access Control

Incomplete

Abstraction: Pillar Structure: Simple

Common Consequences

Security Scopes Affected:

Other

Potential Impacts:

Varies By Context

Applicable Platforms

Technologies: Not Technology-Specific, ICS/OT, Web Based

View CWE Details

862

Missing Authorization

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control Availability

Potential Impacts:

Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)