CVE-2026-37504: V2Board Information Disclosure Vulnerability

CVE-2026-37504 Overview

CVE-2026-37504 affects V2Board through version 1.7.4, an open-source subscription management panel. The vulnerability resides in app/Http/Controllers/Server/UniProxyController.php, where the server authentication token is accepted as a GET query parameter. Requests such as /api/v1/server/UniProxy/user?token=SECRET cause the secret to be persisted in web server access logs, browser history, HTTP Referer headers, and intermediate proxy or CDN logs. An attacker with read access to any of these log surfaces can recover the token and impersonate a proxy server node. This vulnerability is classified under [CWE-598] (Use of GET Request Method With Sensitive Query Strings).

Critical Impact

An attacker who recovers the leaked server_token from logs can impersonate a V2Board proxy node and intercept all user traffic routed through that node.

Affected Products

• V2Board through version 1.7.4
• app/Http/Controllers/Server/UniProxyController.php endpoint handler
• Deployments exposing /api/v1/server/UniProxy/* routes behind logging proxies or CDNs

Discovery Timeline

• 2026-05-01 - CVE-2026-37504 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-37504

Vulnerability Analysis

V2Board uses a shared server_token to authenticate proxy node callbacks to the central panel. The UniProxyController accepts this token via the URL query string rather than an HTTP header or request body. Query string parameters are written verbatim to nearly every component that handles the request. Default Nginx and Apache access log formats record the full request URI, including the token. Browsers store the URL in history and forward it in the Referer header to third-party resources loaded by the response. CDNs and reverse proxies replicate the same data into their own log pipelines.

Root Cause

The root cause is improper transmission of a long-lived secret over a GET parameter. Sensitive credentials must travel in request headers or POST bodies that logging infrastructure does not capture by default. The UniProxyController.php route handler reads $request->input('token'), which transparently accepts the value from the query string. No alternative header-based authentication path is enforced.

Attack Vector

An attacker requires read access to any log source that recorded inbound requests to the V2Board panel. Sources include shared hosting access logs, SIEM archives, CDN analytics dashboards, and backup snapshots of log volumes. After extracting a valid server_token, the attacker issues authenticated requests to UniProxy endpoints, registers as a node, and receives the user list and connection metadata. The attacker can then operate a rogue proxy that intercepts and decrypts user traffic. Exploitation requires user interaction to surface the token in third-party logs, which is reflected in the metrics shown in the sidebar.

No verified proof-of-concept code is published; refer to the GitHub Gist PoC Repository and the V2Board Project Repository for technical context.

Detection Methods for CVE-2026-37504

Indicators of Compromise

• Access log entries matching GET /api/v1/server/UniProxy/ with a token= query parameter present in the request URI.
• UniProxy authentication requests originating from IP addresses that do not match the inventory of legitimate proxy nodes.
• Sudden appearance of new or duplicated node identifiers checking in to the panel using a known-valid token.

Detection Strategies

• Grep historical web server, CDN, and load balancer access logs for the string UniProxy combined with token= to enumerate exposure windows.
• Correlate UniProxy request source IPs against the configured node allowlist and alert on deviations.
• Monitor for outbound Referer headers on the panel domain that include token= values, indicating browser-driven leakage.

Monitoring Recommendations

• Forward V2Board panel access logs to a centralized analytics pipeline and retain them for at least 90 days for retrospective hunting.
• Add a detection rule that flags any HTTP request to the V2Board API containing a token query parameter.
• Audit third-party access to historical log archives, including backup storage and CDN provider portals.

How to Mitigate CVE-2026-37504

Immediate Actions Required

• Rotate the server_token for every V2Board deployment and redistribute it to legitimate proxy nodes through a secure channel.
• Purge or sanitize historical access logs, browser history exports, and CDN log archives that contain the leaked token.
• Restrict the V2Board UniProxy API to known node IP addresses using firewall or web server allowlists.

Patch Information

No vendor patch reference is published in the NVD entry at the time of writing. Track the V2Board Project Repository for an updated release that moves authentication to a request header.

Workarounds

• Place a reverse proxy in front of V2Board that rewrites the token query parameter into an Authorization header before forwarding the request, then strips the parameter from upstream logs.
• Configure Nginx or Apache to omit query strings from access logs for the /api/v1/server/UniProxy/ path using a custom log_format.
• Disable referrer transmission on the panel by serving a Referrer-Policy: no-referrer response header to limit token leakage to third parties.

# Nginx example: strip query string from access log for UniProxy routes
log_format uniproxy_safe '$remote_addr - $remote_user [$time_local] '
                         '"$request_method $uri $server_protocol" '
                         '$status $body_bytes_sent "$http_user_agent"';

location /api/v1/server/UniProxy/ {
    access_log /var/log/nginx/v2board_uniproxy.log uniproxy_safe;
    add_header Referrer-Policy "no-referrer" always;
    proxy_pass http://v2board_upstream;
}