CVE-2021-27231
Description
Hestia Control Panel 1.4.0 and below allows authenticated users in shared hosting to create subdomains for other users' domains, enabling spoofing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hestia Control Panel 1.4.0 and below allows authenticated users in shared hosting to create subdomains for other users' domains, enabling spoofing.
Vulnerability
Hestia Control Panel (HestiaCP) versions 1.4.0 and below, including 1.3.5, contain an improper privilege management vulnerability in the web domain creation functionality. When a user adds a web domain via the control panel, the system does not validate whether the domain or subdomain belongs to another user on the same shared hosting environment. This allows any authenticated user to create a subdomain for any domain managed by the HestiaCP DNS server, even if that domain is owned by a different user. The issue is described in references [1] and [2].
Exploitation
An attacker needs only remote authenticated access to HestiaCP (low privilege). The attacker logs in, navigates to the "Add Web Domain" form, enters a subdomain of a target domain owned by another user (e.g., mail.victim.com), and checks the "Create DNS Zone" option. The system does not check ownership, so the subdomain is created. The attacker can then upload arbitrary content to that subdomain and configure email services. As demonstrated in [1], the attacker can create aliases for mail.domain.com and webmail.domain.com, causing all IMAP and POP requests to be directed to the attacker's account, effectively stealing the victim's email credentials and messages.
Impact
A successful attack allows the attacker to take over subdomains of another user's domain, leading to spoofing of services and email messages. The attacker can intercept email credentials, receive emails intended for the victim, and serve malicious content under the victim's domain. This results in information disclosure (email contents, passwords) and potential further compromise of the victim's accounts. The impact is limited to shared hosting environments where DNS is managed by HestiaCP. The CVSS score is 5.4 (Medium) with low confidentiality and integrity impact [1].
Mitigation
The vendor has patched the vulnerability [1]. Users should upgrade to a version of HestiaCP later than 1.4.0. No official workaround is documented, but the GitHub issue [2] suggests adding a checkbox to enforce domain ownership validation at the UI level, similar to DirectAdmin's approach. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Hestia/Hestia Control Paneldescription
- Range: <=1.3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing ownership validation in the "Add Web Domain" form allows any authenticated user to create subdomains for domains belonging to other users on the same shared hosting server."
Attack vector
An attacker who is an authenticated user on a shared HestiaCP server can create a subdomain (e.g., `mail.domain.com` or `webmail.domain.com`) for a domain that belongs to another user [ref_id=1]. The attacker uses the "Add Web Domain" button with "Create DNS Zone" checked, and the system does not verify ownership of the parent domain [ref_id=2]. This allows the attacker to set up a vhost or alias that intercepts traffic intended for the victim's subdomain, such as IMAP, POP, or webmail services [ref_id=1]. The attack requires only that both users are on the same HestiaCP server and that the victim's domain uses the server's DNS nameservers [ref_id=2].
Affected code
The vulnerability exists in the "Add Web Domain" form within the Hestia Control Panel web interface. The form does not validate whether a domain being added is a subdomain of a domain already owned by another user on the same shared hosting server [ref_id=2]. The issue is specifically in the PHP form logic that handles domain creation requests [ref_id=2].
What the fix does
The vendor patched the vulnerability, though the specific patch diff is not included in the bundle [ref_id=1]. The recommended remediation, as described in the bug report, is to add validation in the "Add Web Domain" PHP form that checks whether the requested domain is a subdomain of a top-level domain already owned by another user, and to throw an error if so [ref_id=2]. The fix should be enforced at the user-facing web form level rather than at the command line or API level, to avoid breaking legitimate use cases such as shared hosts that provide free subdomains [ref_id=2].
Preconditions
- authAttacker must be an authenticated user on the HestiaCP server
- configVictim's domain must be using the HestiaCP server's DNS nameservers
- configBoth attacker and victim must be on the same shared hosting environment
- inputAttacker uses the web-based 'Add Web Domain' form with 'Create DNS Zone' checked
Reproduction
1. As user1, add a domain (e.g., `domain.com`) with just the MAIL service using the "Add Web Domain" form [ref_id=1]. 2. As user2, add a subdomain (e.g., `test.domain.com`) with just the DOMAIN service using the "Add Web Domain" form with "Create DNS Zone" checked [ref_id=1][ref_id=2]. 3. User2 can then add vhost/aliases for `domain.com`, `webmail.domain.com`, and `mail.domain.com` [ref_id=1]. 4. Visiting `https://webmail.domain.com` or `https://mail.domain.com` in a browser shows user2's content instead of user1's [ref_id=1]. 5. User1's email credentials (IMAP/SMTP hostnames pointing to `mail.domain.com`) are now intercepted by user2 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/hestiacp/hestiacp/issues/1622mitrex_refsource_MISC
- github.com/sickcodes/security/blob/master/advisories/sick-2021-006.mdmitrex_refsource_MISC
- sick.codes/sick-2021-006mitrex_refsource_MISC
- www.hestiacp.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.