VYPR
← All advisories
High severity8.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-34358

CVE-2026-34358

Description

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CtrlPanel 1.1.1 and prior has broken access control on admin write endpoints, allowing authenticated users to bypass RBAC and escalate privileges.

Vulnerability

CtrlPanel versions 1.1.1 and prior contain a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods (create(), edit()) but omit equivalent checks on the corresponding write methods (store(), update()). Affected controllers include ApplicationApiController (requires admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write) for both store() and update(); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) for update() only. Additionally, ActivityLogController exposed empty stub store()/update() methods that silently accepted any request [2].

Exploitation

An authenticated attacker without admin write privileges can bypass RBAC by sending direct POST or PATCH requests to the affected endpoints, skipping the form UI entirely. No user interaction is required beyond having a valid session. For example, a direct POST to /admin/coupons with crafted parameters creates a coupon without the admin.coupons.write permission [2]. The attacker can also abuse UserController.logBackIn() without the login_as permission to interfere with admin impersonation sessions [2].

Impact

Successful exploitation allows an attacker to perform actions reserved for administrators: issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs. This leads to full privilege escalation. Additionally, the logBackIn() flaw can disrupt admin session restoration [2].

Mitigation

The vulnerability is fixed in CtrlPanel version 1.2.0 [1]. No workarounds are documented; all users should upgrade to this release. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.

References
  1. Release 1.2.0 · Ctrlpanel-gg/panel
  2. Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.