1Panel swap baseApi.UpdateDeviceSwap command injection
Description
A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
1Panel up to 1.10.1-lts has a critical command injection in /api/v1/toolbox/device/update/swap via the Path parameter, allowing remote code execution.
Vulnerability
Overview
The vulnerability resides in the baseApi.UpdateDeviceSwap function of 1Panel, an open-source server management panel. The endpoint /api/v1/toolbox/device/update/swap takes a Path argument that is passed directly to a shell command (swapoff) via cmd.Execf. The application includes a CheckIllegal function that blocks many shell metacharacters like &, |, ;, $, but it does not filter the newline character (\n). An attacker can inject a newline to terminate the intended command and execute arbitrary system commands [1][3].
Exploitation
The attack is remotely exploitable without authentication. By sending a crafted POST request to the vulnerable endpoint, an attacker can include a newline followed by any command in the Path parameter. For example, the value 123123123\nopen -a Calculator would execute the Calculator application on macOS (though in a real attack, a reverse shell or data exfiltration command would be used). The exploit has been publicly disclosed and a proof-of-concept packet is available [1][3][4].
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands with the privileges of the 1Panel server process. This can lead to full compromise of the server, including data theft, installation of malware, or further lateral movement within the network. Given that 1Panel is often deployed on VPS hosting sensitive applications, the impact is critical [1][2].
Mitigation
The issue was fixed in pull request #4131 on GitHub, which addresses the command injection by improving input validation and escaping [3][4]. Users should upgrade to a patched version (beyond 1.10.1-lts) as soon as possible. No workaround is available; the only remediation is to apply the patch.
- NVD - CVE-2024-2352
- GitHub - 1Panel-dev/1Panel: 🔥 1Panel is a modern, open-source VPS control panel — and the only one with native AI agent support. Run Ollama models, deploy OpenClaw agents, and manage your entire server stack from one clean web interface.
- fix: 解决命令注入waf被绕过的问题 by L1nyz-tel · Pull Request #4131 · 1Panel-dev/1Panel
- fix: 解决命令注入waf被绕过的问题 by L1nyz-tel · Pull Request #4131 · 1Panel-dev/1Panel
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/1Panel-dev/1PanelGo | < 1.10.1-lts | 1.10.1-lts |
Affected products
2- 1Panel/1Paneldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/1Panel-dev/1Panel/pull/4131/commits/0edd7a9f6f5100aab98a0ea6e5deedff7700396cghsaissue-trackingpatchWEB
- github.com/1Panel-dev/1Panel/pull/4131ghsaexploitissue-trackingWEB
- github.com/advisories/GHSA-x2vg-5wrf-vj6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-2352ghsaADVISORY
- github.com/1Panel-dev/1Panel/pull/4131ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.