Description
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE‑61 path traversal flaw in a chmod call within the cPanel Nova plugin. When an authenticated cPanel user creates a symbolic link inside their user‑controlled legacy Nova path, the plugin follows the link and applies root ownership to the target file or directory. This allows the attacker to change permissions on arbitrary system files or directories, leading to either a denial of service or local privilege escalation to root.

Affected Systems

Affected products include WebPros cPanel and WebPros WP Squared, as well as cPanel running on CentOS 6 and CloudLinux 6. Users of these systems should verify the version of the Nova plugin and the operating system distribution to determine whether the vulnerability applies.

Risk and Exploitability

The CVE has no publicly disclosed exploit and the EPSS score is not available; the CVSS score of 8.8 indicates a high‑severity vulnerability. The flaw permits local privilege escalation for authenticated users, which constitutes a high‑severity risk. Because the attacker only needs to be an authorized cPanel user, the likelihood of exploitation is significant in environments where administrators trust users with file system access. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact warrants prompt attention.

Generated by OpenCVE AI on May 8, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update released by WebPros for the cPanel Nova plugin to eliminate the symlink traversal issue.
  • If an update is unavailable, remove or restrict user write access to the legacy Nova path and prohibit the creation of symlinks within it.
  • Configure the system to prevent chmod operations from following symlinks—either by adjusting file system mount options or applying appropriate ACL settings to mitigate risk.

Generated by OpenCVE AI on May 8, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Symlink Traversal Allowing Local Privilege Escalation in cPanel Nova

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Weaknesses CWE-61
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-09T03:56:05.260Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29203

cve-icon Vulnrichment

Updated: 2026-05-08T19:20:00.014Z

cve-icon NVD

Status : Received

Published: 2026-05-08T19:16:30.147

Modified: 2026-05-08T20:16:30.013

Link: CVE-2026-29203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses