CVE-2026-41473: CyberPanel Auth Bypass Vulnerability

CVE-2026-41473 Overview

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability (CWE-306: Missing Authentication for Critical Function) in the AI Scanner worker API endpoints. This vulnerability allows unauthenticated remote attackers to write arbitrary data to the database by sending malicious requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Critical Impact

Unauthenticated attackers can write arbitrary data to the database, potentially causing denial of service through storage exhaustion and data corruption without requiring any authentication.

Affected Products

• CyberPanel versions prior to 2.4.4
• CyberPanel AI Scanner API endpoints (/api/ai-scanner/status-webhook)
• CyberPanel AI Scanner callback endpoint (/api/ai-scanner/callback)

Discovery Timeline

• 2026-04-24 - CVE-2026-41473 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-41473

Vulnerability Analysis

This authentication bypass vulnerability exists in CyberPanel's AI Scanner worker API endpoints due to missing authentication checks on critical functions. The affected endpoints /api/ai-scanner/status-webhook and /api/ai-scanner/callback fail to verify that incoming requests are from authenticated sources before processing them. This allows any remote attacker to send arbitrary data that gets written directly to the database without authorization.

The vulnerability is particularly severe because it targets webhook and callback endpoints that are typically designed to receive external data. Without proper authentication mechanisms in place, these endpoints become open doors for attackers to manipulate the application's data stores.

Root Cause

The root cause of this vulnerability is the absence of authentication enforcement on the AI Scanner API endpoints. The application fails to implement proper access control checks before allowing write operations to the database. This represents a classic CWE-306 (Missing Authentication for Critical Function) weakness where critical functionality is exposed without requiring proper authentication credentials.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests directly to the vulnerable API endpoints. The attack can be executed from anywhere on the network that can reach the CyberPanel installation.

# Security patch in plogical/acl.py
# Source: https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961

             else:
                 if childDomain.master.admin.owner == admin.pk:
                     return 1
+                else:
+                    return 0
 
         except:
             domainName = Websites.objects.get(domain=domain)

The patch adds proper return value handling to ensure unauthorized access attempts are explicitly denied by returning 0 instead of falling through without a return value.

# Security patch in websiteFunctions/website.py
# Source: https://github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961

             childDomains = []

             for web in websites:
-                for child in web.childdomains_set.filter(alais=0):
-                    if child.domain == f'mail.{web.domain}':
-                        pass
-                    else:
-                        childDomains.append(child)
+                for child in web.childdomains_set.all():
+                    if child.alais == 0:
+                        if child.domain == f'mail.{web.domain}':
+                            pass
+                        else:
+                            childDomains.append(child)

             pagination = self.getPagination(len(childDomains), recordsToShow)
             json_data = self.findChildsListJson(childDomains[finalPageNumber:endPageNumber])

This patch corrects the domain filtering logic to properly check the alais attribute after retrieving all child domains, preventing potential authorization bypass through improper filtering.

Detection Methods for CVE-2026-41473

Indicators of Compromise

• Unusual HTTP POST requests to /api/ai-scanner/status-webhook from external IP addresses
• Unexpected database growth or storage exhaustion on the CyberPanel server
• Corrupted or anomalous entries in the AI Scanner history records
• High volume of requests to /api/ai-scanner/callback endpoint without corresponding legitimate scan operations

Detection Strategies

• Monitor web server access logs for unauthenticated requests to AI Scanner API endpoints
• Implement rate limiting and anomaly detection on the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints
• Set up alerts for database write operations from API endpoints that lack authenticated session tokens
• Deploy Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting these endpoints

Monitoring Recommendations

• Enable verbose logging on CyberPanel API endpoints to capture request details including source IPs and payloads
• Establish baseline metrics for normal AI Scanner API traffic to identify anomalous patterns
• Configure database monitoring to alert on unusual write volumes or data integrity issues
• Implement network-level monitoring to detect scanning activity targeting CyberPanel installations

How to Mitigate CVE-2026-41473

Immediate Actions Required

• Upgrade CyberPanel to version 2.4.4 or later immediately
• If immediate patching is not possible, restrict network access to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints
• Review database records for signs of unauthorized modification or data pollution
• Implement firewall rules to limit access to CyberPanel administrative interfaces

Patch Information

The vulnerability has been addressed in CyberPanel version 2.4.4. The security fix is available through the official GitHub commit. Organizations running CyberPanel should update to the latest version as soon as possible. For additional technical analysis, refer to the ItsRez RCE Analysis and the VulnCheck Advisory.

Workarounds

• Use web server configuration (nginx/Apache) to block access to /api/ai-scanner/* endpoints from untrusted sources
• Implement IP allowlisting to restrict API access to known legitimate sources only
• Deploy a reverse proxy with authentication requirements in front of the affected endpoints
• Consider disabling the AI Scanner feature entirely if not required for operations

# Nginx configuration to block unauthenticated access to AI Scanner endpoints
location ~ ^/api/ai-scanner/ {
    # Allow only trusted IP addresses
    allow 10.0.0.0/8;
    allow 192.168.1.0/24;
    deny all;
    
    # Alternatively, require authentication
    # auth_basic "Restricted Access";
    # auth_basic_user_file /etc/nginx/.htpasswd;
}