CVE-2026-34233
Description
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. The affected admin controllers define datatable() methods that are reachable via GET requests but lack any permission or role verification. Because the routes fall under the /admin/ prefix, operators may assume they are protected - however, the middleware applied to this route group does not enforce admin-level authorization on these specific endpoints. As a result, any authenticated user (regardless of role) can query these endpoints and receive paginated JSON responses containing sensitive records. Exploitation can result in enumeration of user PII, payment and transaction records, active voucher and coupon codes, role and permission structure, server ownership mappings and support ticket contents. This issue has been fixed in version 1.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CtrlPanel 1.1.1 and prior has missing authorization in admin datatable endpoints, allowing any authenticated user to access sensitive data.
Vulnerability
CtrlPanel versions 1.1.1 and prior contain multiple admin controllers that expose datatable() endpoints without authorization checks. While these routes fall under the /admin/ prefix, the applied middleware does not enforce admin-level permissions on these specific GET endpoints. As a result, any authenticated user can access sensitive administrative data that should be restricted to administrators only. The affected controllers include UserController, RoleController, PaymentController, VoucherController, PartnerController, TicketsController, TicketCategoryController, ServerController, CouponController, and ProductController [2]. This issue is fixed in version 1.2.0 [1].
Exploitation
An attacker only needs a valid authenticated session on the CtrlPanel instance, regardless of their role (e.g., regular user). The attacker sends a GET request to any of the unprotected datatable endpoints, such as /admin/users/datatable or /admin/payments/datatable. The server returns a paginated JSON response containing sensitive records without checking for administrator privileges [2]. No special privileges or user interaction beyond authentication is required.
Impact
Successful exploitation allows an authenticated attacker to enumerate sensitive data across multiple categories: user PII (email addresses, IP addresses, credit balances), payment and transaction records (processor transaction IDs, amounts, linked usernames), active voucher and coupon codes (code values, expiry dates), role and permission structure, server ownership mappings with billing rates, and support ticket contents (ticket titles, messages, categories) [2]. This information can be used for further attacks or data breaches.
Mitigation
The vulnerability is fixed in CtrlPanel version 1.2.0 [1]. Operators should upgrade to this version immediately. No workarounds are documented; the only mitigation is applying the patch. The affected versions 1.1.1 and prior are no longer supported once 1.2.0 is available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.