CVE-2026-34358— CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass
Possible ATT&CK Techniques 3AI
T1098.004 · SSH Authorized Keys T1059 · Command and Scripting Interpreter T1078.004 · Cloud AccountsAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ctrlpanel-gg | panel | < 1.2.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34358
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
CtrlPanel.gg 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CtrlPanel.gg是CtrlPanel.gg开源的一款主机服务计费管理工具。 CtrlPanel.gg 1.1.1及之前版本存在访问控制错误漏洞,该漏洞源于多个管理员控制器在表单显示方法上执行权限检查,但在相应的写入方法上省略了等效检查,允许任何经过身份验证的用户通过直接POST/PATCH请求绕过基于角色的访问控制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Ctrlpanel-gg | panel | < 1.2.0 | - |
II. Public POCs for CVE-2026-34358
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 10191 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-34358
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-34358 (1)
Other References for CVE-2026-34358 (1)
- Release 1.2.0 · Ctrlpanel-gg/panel · GitHubx_refsource_MISC
Same Patch Batch · Ctrlpanel-gg · 2026-05-19 · 6 CVEs total
| CVE-2026-34234 | 10.0 CRITICAL | CtrlPanel: Unauthenticated RCE using installer script |
| CVE-2026-34241 | 8.7 HIGH | CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking |
| CVE-2026-34216 | 6.6 MEDIUM | CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in Settings |
| CVE-2026-34233 | 6.5 MEDIUM | CtrlPanel has Missing Authentication Checks in Datatable Admin Endpoints |
| CVE-2026-34246 | 4.8 MEDIUM | CtrlPanel: Stored XSS in Admin Role Management via Unescaped DataTable HTML Output |
IV. Related Vulnerabilities
Same product: panel
- CVE-2026-34246
CtrlPanel: Stored XSS in Admin Role Management via Unescaped - CVE-2026-34241
CtrlPanel: Stored XSS in Ticket Reply Notifications Allows S - CVE-2026-34234
CtrlPanel: Unauthenticated RCE using installer script - CVE-2026-34233
CtrlPanel has Missing Authentication Checks in Datatable Adm - CVE-2026-34216
CtrlPanel: Authenticated Remote Code Execution via Dynamic C
Same vendor: Ctrlpanel-gg
- CVE-2026-34246
CtrlPanel: Stored XSS in Admin Role Management via Unescaped - CVE-2026-34241
CtrlPanel: Stored XSS in Ticket Reply Notifications Allows S - CVE-2026-34234
CtrlPanel: Unauthenticated RCE using installer script - CVE-2026-34233
CtrlPanel has Missing Authentication Checks in Datatable Adm - CVE-2026-34216
CtrlPanel: Authenticated Remote Code Execution via Dynamic C
Same weakness: CWE-284
- CVE-2026-9495
@koa/router 14.0.0-15.0.0 访问控制绕过 - CVE-2026-9517
hemant6488 CodeIgniter-StudentManagementSystem Student Manag - CVE-2026-9412
SourceCodester Indian Invoicing System Backend Endpoint acce - CVE-2026-39968
TypeBot: Cross-Workspace Credential Theft via Bot-Engine Pre - CVE-2026-5171
Devolutions Server 2025.3及2026.1版本存在不当访问控制漏洞
V. Comments for CVE-2026-34358
No comments yet