CVE-2026-34358 Overview
CVE-2026-34358 is a broken access control vulnerability [CWE-284] in CtrlPanel, an open-source billing platform for hosting providers. Versions 1.1.1 and prior enforce role-based access control (RBAC) checks on form display methods in multiple admin controllers but omit those checks on the corresponding write methods. Any authenticated user can bypass RBAC by issuing direct POST or PATCH requests to the affected endpoints. Successful exploitation enables full privilege escalation, including modifying user roles, credits, and passwords. The issue is fixed in version 1.2.0.
Critical Impact
Authenticated users without admin write privileges can issue API credentials, manipulate billing data, reassign server ownership, and elevate their own accounts to administrator.
Affected Products
- CtrlPanel versions 1.1.1 and prior
- CtrlPanel admin controllers including ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, and VoucherController
- CtrlPanel ProductController, ServerController, UserController, and ActivityLogController write endpoints
Discovery Timeline
- 2026-05-19 - CVE-2026-34358 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34358
Vulnerability Analysis
The vulnerability stems from inconsistent RBAC enforcement across admin controllers. CtrlPanel applies permission middleware to methods that render forms but fails to apply equivalent middleware to the store() and update() methods that process submitted data. An attacker with any authenticated session can call these write endpoints directly through crafted HTTP requests.
Multiple controllers are missing checks on both store() and update(), including ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write). Additional controllers, including ProductController, ServerController, and UserController, lack checks on update() only. ActivityLogController exposed empty stub store() and update() methods that silently accepted any request.
Root Cause
The root cause is a missing authorization control [CWE-284] pattern repeated across the admin namespace. Permission gates were attached only to read-side rendering routes. The write-side controller actions did not inherit or re-declare the corresponding gate, leaving the mutation endpoints unprotected.
Attack Vector
An attacker authenticates as any low-privilege user and submits direct POST or PATCH requests to admin write routes. The attacker can generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs. The attacker can also abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. See the GitHub Security Advisory GHSA-pxmw-gj52-9p68 for the full list of affected routes.
Detection Methods for CVE-2026-34358
Indicators of Compromise
- Unexpected POST or PATCH requests from non-admin user sessions to routes such as /admin/api, /admin/coupons, /admin/vouchers, /admin/partners, /admin/store, /admin/users, and /admin/servers
- New API credentials, coupons, or vouchers created by accounts lacking the corresponding admin.*.write permission
- User records showing role changes, credit increases, password resets, or modified Pterodactyl IDs without a matching admin action audit entry
- Server ownership or identifier reassignments performed by non-administrative accounts
Detection Strategies
- Review web server and application logs for write requests to /admin/* endpoints initiated by sessions whose user role does not include the matching write permission
- Correlate database change events on users, coupons, vouchers, partners, and products tables with the authenticated user ID responsible for the change
- Alert on calls to logBackIn() from accounts that do not hold the login_as permission
Monitoring Recommendations
- Enable verbose audit logging for all admin namespace routes and forward logs to a centralized SIEM for analysis
- Baseline normal administrative write activity and alert on deviations such as bulk voucher creation or rapid role changes
- Monitor authentication and impersonation events for sessions that switch between user contexts unexpectedly
How to Mitigate CVE-2026-34358
Immediate Actions Required
- Upgrade CtrlPanel to version 1.2.0 or later without delay
- Rotate all admin API credentials, user passwords, and session tokens after upgrading
- Audit the users, coupons, vouchers, partners, products, and servers tables for unauthorized changes made while running affected versions
- Review activity logs for unexpected impersonation events triggered through logBackIn()
Patch Information
The fix is available in CtrlPanel 1.2.0, which adds the missing permission checks to all affected store() and update() methods and removes the silent stub handlers in ActivityLogController. See the GitHub Release 1.2.0 for full release notes.
Workarounds
- If patching cannot occur immediately, restrict access to the /admin/* route group at the reverse proxy or web server layer to known administrator IP addresses
- Disable new user registration to limit the pool of authenticated accounts able to reach the vulnerable endpoints
- Temporarily revoke non-essential user sessions and require re-authentication after the upgrade is complete
# Example: restrict admin routes to a trusted IP range in nginx
location /admin/ {
allow 203.0.113.0/24;
deny all;
proxy_pass http://ctrlpanel_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
