Description
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE‑61 path traversal flaw in a chmod call within the cPanel Nova plugin. When an authenticated cPanel user creates a symbolic link inside their user‑controlled legacy Nova path, the plugin follows the link and applies root ownership to the target file or directory. This allows the attacker to change permissions on arbitrary system files or directories, leading to either a denial of service or local privilege escalation to root.

Affected Systems

Affected products include WebPros cPanel and WebPros WP Squared, as well as cPanel running on CentOS 6 and CloudLinux 6. Users of these systems should verify the version of the Nova plugin and the operating system distribution to determine whether the vulnerability applies.

Risk and Exploitability

The EPSS score of < 1% indicates a very low probability of exploitation, yet the flaw permits local privilege escalation for authenticated cPanel users. The official data does not reference a public exploit, so it is inferred that none are known. The vulnerability is not listed in CISA KEV, but because the attacker only needs to be an authorized cPanel user, the potential impact remains significant in environments where administrators grant users file system write access. If a user could write to the legacy Nova path, they could set root permissions on critical system files or directories, creating a pathway to root access or denial of service.

Generated by OpenCVE AI on May 15, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update released by WebPros for the cPanel Nova plugin to eliminate the symlink traversal issue.
  • If an update is unavailable, remove or restrict user write access to the legacy Nova path and prohibit the creation of symlinks within it.
  • Configure the system to prevent chmod operations from following symlinks—either by adjusting file system mount options or applying appropriate ACL settings to mitigate risk.

Generated by OpenCVE AI on May 15, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Symlink Traversal Allowing Local Privilege Escalation in cPanel Nova

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros cpanel (centos 6, Cloudlinux 6)
Webpros wp Squared
Vendors & Products Webpros
Webpros cpanel
Webpros cpanel (centos 6, Cloudlinux 6)
Webpros wp Squared

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Symlink Traversal Allowing Local Privilege Escalation in cPanel Nova

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Weaknesses CWE-61
References

Subscriptions

Webpros Cpanel Cpanel (centos 6, Cloudlinux 6) Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-15T17:14:52.318Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29203

cve-icon Vulnrichment

Updated: 2026-05-08T19:20:00.014Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T19:16:30.147

Modified: 2026-05-15T18:16:14.443

Link: CVE-2026-29203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following