Description
HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.
Published: 2026-07-04
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A broken access control flaw in the HestiaCP panel’s cronjob feature allows low‑privilege users to modify scheduled tasks. By editing a cron entry, the attacker can trigger HestiaCP management scripts with password‑less sudo, effectively granting themselves the privileges of an administrator. This leads to application‑level takeover and potentially the underlying web server, exposing all data and services controlled by that server. The weakness is a classic case of broken access control (CWE‑287).

Affected Systems

Affected: HestiaCP (all current releases). The vulnerability appears to influence all builds that expose the cronjob functionality.

Risk and Exploitability

The CVSS base score of 8.3 denotes high severity, with significant impact on confidentiality, integrity, and availability. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting limited timely exploitation. Exploitation requires an authenticated low‑privilege account in the HestiaCP web interface, after which the attacker can manipulate the cron configuration to run privileged scripts. In the absence of a publicly issued fix, the attack vector is presumed to be local, authenticated, relying on the web panel.

Generated by OpenCVE AI on July 5, 2026 at 07:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest HestiaCP release that incorporates the security fix referenced in pull request 5440.
  • Remove or restrict password‑less sudo permissions for HestiaCP management scripts to prevent privileged execution.
  • Limit cronjob editing privileges to administrator accounts only, ensuring that only users with full access can alter scheduled tasks.

Generated by OpenCVE AI on July 5, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Hestiacp
Hestiacp hestiacp
Vendors & Products Hestiacp
Hestiacp hestiacp

Sat, 04 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Description HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.
Title HestiaCP Admin Takeover
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}


Subscriptions

Hestiacp Hestiacp
cve-icon MITRE

Status: PUBLISHED

Assigner: PRJBLK

Published:

Updated: 2026-07-04T12:05:19.775Z

Reserved: 2026-06-14T07:01:19.115Z

Link: CVE-2026-12196

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses