Description
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.
Published: 2026-05-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw where certain write endpoints in CtrlPanel's admin API lack proper authorization checks. As a result, any authenticated user can invoke POST or PATCH requests to endpoints that create or modify data, such as coupons, vouchers, partners, shop product pricing, user roles, and server ownership. The attacker can generate unlimited coupons, alter discounts, reassign servers, and even change other users’ passwords and roles, resulting in full administrative control over the system. The weakness corresponds to improper authorization, as defined by common security taxonomy.

Affected Systems

The affected product is CtrlPanel from vendor Ctrlpanel-gg. Versions 1.1.1 and earlier are impacted because they contain the missing authorization logic on multiple write controllers: ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, VoucherController, ProductController, ServerController, UserController, and ActivityLogController. These vulnerabilities allow users without administrative write privileges to perform privileged operations. The issue was resolved by applying the patch released in version 1.2.0.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploit activity. However, because the flaw requires only authenticated access and the write endpoints are widely used, it is highly exploitable in practice. Attackers can bypass role-based access control simply by sending crafted requests to the exposed API routes, leading to a full compromise of the application’s data integrity, confidentiality, and availability.

Generated by OpenCVE AI on May 19, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CtrlPanel to version 1.2.0 or later.
  • Revoke all existing API tokens or credentials that grant write access to non-administrative accounts.
  • Enforce strict role-based access controls in the application, ensuring that write endpoints validate the caller’s privileges before processing the request.

Generated by OpenCVE AI on May 19, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctrlpanel-gg
Ctrlpanel-gg panel
Vendors & Products Ctrlpanel-gg
Ctrlpanel-gg panel

Tue, 19 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.
Title CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass
Weaknesses CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Ctrlpanel-gg Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T15:03:09.599Z

Reserved: 2026-03-27T13:43:14.368Z

Link: CVE-2026-34358

cve-icon Vulnrichment

Updated: 2026-05-20T15:01:49.743Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T22:16:37.637

Modified: 2026-05-20T16:16:25.360

Link: CVE-2026-34358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:53Z

Weaknesses