CVE-2026-43633 Overview
CVE-2026-43633 is an unauthenticated remote code execution vulnerability in HestiaCP, a Linux web server control panel. The flaw exists in the web terminal component shipped with versions 1.9.0 through 1.9.4. A session format mismatch between the PHP session handler and the Node.js web terminal allows attackers to inject crafted HTTP header data that the Node.js process deserializes as trusted session state. Successful exploitation yields root-level command execution on hosts where the web terminal feature is enabled. The issue is tracked as an Insecure Deserialization weakness under [CWE-502].
Critical Impact
Unauthenticated network attackers can achieve root-level arbitrary command execution on HestiaCP servers with the web terminal enabled.
Affected Products
- HestiaCP 1.9.0
- HestiaCP 1.9.1 through 1.9.3
- HestiaCP 1.9.4
Discovery Timeline
- 2026-05-19 - CVE-2026-43633 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-43633
Vulnerability Analysis
HestiaCP integrates a Node.js-based web terminal that authenticates users by reading session data managed by PHP. The PHP application persists sessions to /data/sessions using PHP's native serialization format. The Node.js terminal server independently parses these session files and trusts values it extracts from them. This dual-runtime design creates a parser differential: data accepted by one runtime can be reinterpreted by the other with attacker-controlled semantics.
The web terminal also extracts client identity from HTTP headers without proper validation. An attacker can craft header values that pass through the PHP session writer and are subsequently deserialized by the Node.js parser as authenticated session content. Because the web terminal spawns shells with root privileges, deserialized attacker data is converted directly into command execution.
The vulnerability is reachable over the network without prior authentication, which removes the typical barrier of credential theft or social engineering. EPSS data records a score of 0.154% as of 2026-05-20, but the lack of an authentication requirement makes opportunistic scanning likely.
Root Cause
The root cause is reliance on two independent deserialization implementations operating over the same session store. PHP and Node.js disagree on how to interpret embedded delimiters and length prefixes within serialized blobs. Attacker-controlled header content written into the session record by PHP is parsed by Node.js as a structurally valid, trusted session object.
Attack Vector
An unauthenticated attacker sends HTTP requests with crafted headers to the HestiaCP web interface. The PHP session handler stores the malicious values, and the Node.js web terminal subsequently reads and trusts them. The terminal then spawns a shell under the impersonated identity, which runs as root.
// Patch excerpt: src/deb/web-terminal/server.js
#!/usr/bin/env node
-import { execSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
import { readFileSync } from 'node:fs';
import { spawn } from 'node-pty';
import { WebSocketServer } from 'ws';
Source: HestiaCP commit 854d71b
The patch replaces the in-process Node.js session parser with a dedicated PHP helper script that performs session lookup using PHP's native APIs. The helper validates the session ID against a strict regular expression before loading any data:
#!/usr/local/hestia/php/bin/php
<?php
declare(strict_types=1);
function deny(string $error, int $code = 1): never {
echo json_encode(
["ok" => false, "error" => $error],
JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_THROW_ON_ERROR,
), PHP_EOL;
exit($code);
}
if (!isset($argv[1]) || !is_string($argv[1])) {
deny("missing session id");
}
$sessionId = $argv[1];
if ($sessionId === "" || preg_match('/^[A-Za-z0-9,-]+$/', $sessionId) !== 1) {
deny("invalid session id");
}
$hestia = getenv("HESTIA");
if (!is_string($hestia) || $hestia === "") {
deny("missing HESTIA env");
}
session_name("HESTIASID");
session_save_path($hestia . "/data/sessions");
session_id($sessionId);
Source: HestiaCP commit 854d71b
Detection Methods for CVE-2026-43633
Indicators of Compromise
- Unexpected child processes of the Node.js web terminal binary, particularly shells running as root.
- Anomalous or malformed values in HTTP headers commonly used to convey client identity, including X-Forwarded-For and proxy headers.
- New or modified session files under /usr/local/hestia/data/sessions that contain non-printable or unusually structured payloads.
- Outbound network connections initiated by the web terminal process to attacker-controlled infrastructure.
Detection Strategies
- Monitor the HestiaCP web terminal process tree for shell invocations that do not correspond to legitimate authenticated administrator sessions.
- Inspect web server access logs for unauthenticated requests carrying long, base64-like, or serialization-style payloads in HTTP headers.
- Run authenticated configuration checks to identify HestiaCP instances at versions 1.9.0 through 1.9.4 with the web terminal feature enabled.
Monitoring Recommendations
- Forward HestiaCP application, web terminal, and authentication logs to a centralized logging platform for retention and correlation.
- Alert on any process spawned by the web terminal that executes outside an interactive PTY context.
- Track file integrity on /usr/local/hestia/web/, the session directory, and the Node.js terminal binaries.
How to Mitigate CVE-2026-43633
Immediate Actions Required
- Upgrade HestiaCP to a fixed release that incorporates commit 854d71b3c1737b0a0d0cc55c926008ffe1f6719b from pull request #5244.
- Disable the web terminal feature on any instance that cannot be patched immediately.
- Restrict network access to the HestiaCP management interface to trusted administrative IP ranges.
- Rotate all administrative credentials and session secrets on hosts suspected of exposure.
Patch Information
The upstream fix replaces the in-process Node.js session parser with a hardened PHP helper (web-terminal-session-auth.php) that validates session IDs and uses PHP's native session APIs. Details are available in the HestiaCP GitHub issue, the pull request #5244, and the VulnCheck advisory. Additional analysis is published by Mercury ISS.
Workarounds
- Disable the web terminal service until the patched version is deployed.
- Place the HestiaCP web interface behind a VPN or reverse proxy that enforces authentication and strips untrusted client headers.
- Configure upstream proxies to overwrite, rather than append to, identity headers such as X-Forwarded-For.
# Disable the HestiaCP web terminal service as a temporary workaround
sudo systemctl stop hestia-web-terminal
sudo systemctl disable hestia-web-terminal
# Verify the service is no longer listening
sudo ss -tlnp | grep -i terminal
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
