Critical severity9.1NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-41473

Description

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Affected products

Cyberpanel/Cyberpanel
cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
Range: <2.4.4

Patches

0a099b1b1939

Merge branch 'v2.4.4' of github.com:usmannasir/cyberpanel into v2.4.4

https://github.com/usmannasir/cyberpanelusmannasirDec 18, 2025via nvd-ref

commit

2 files changed · +10 −5

plogical/acl.py+2 −0 modified

@@ -761,6 +761,8 @@ def checkOwnership(domain, admin, currentACL):
             else:
                 if childDomain.master.admin.owner == admin.pk:
                     return 1
+                else:
+                    return 0
 
         except:
             domainName = Websites.objects.get(domain=domain)

websiteFunctions/website.py+8 −5 modified

@@ -2519,11 +2519,12 @@ def fetchChildDomainsMain(self, userID=None, data=None):
             childDomains = []
 
             for web in websites:
-                for child in web.childdomains_set.filter(alais=0):
-                    if child.domain == f'mail.{web.domain}':
-                        pass
-                    else:
-                        childDomains.append(child)
+                for child in web.childdomains_set.all():
+                    if child.alais == 0:
+                        if child.domain == f'mail.{web.domain}':
+                            pass
+                        else:
+                            childDomains.append(child)
 
             pagination = self.getPagination(len(childDomains), recordsToShow)
             json_data = self.findChildsListJson(childDomains[finalPageNumber:endPageNumber])
@@ -2533,6 +2534,8 @@ def fetchChildDomainsMain(self, userID=None, data=None):
             final_json = json.dumps(final_dic)
             return HttpResponse(final_json)
         except BaseException as msg:
+            import traceback
+            logging.CyberCPLogFileWriter.writeToFile(f"fetchChildDomainsMain error for userID {userID}: {str(msg)}\n{traceback.format_exc()}")
             dic = {'status': 1, 'listWebSiteStatus': 0, 'error_message': str(msg)}
             json_data = json.dumps(dic)
             return HttpResponse(json_data)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/usmannasir/cyberpanel/commit/0a099b1b193946555fbdd387a28486b1521f9961nvdPatch
itsrez.re/post/cyberpanel-rcenvdExploitMitigationThird Party Advisory
www.vulncheck.com/advisories/cyberpanel-unauthenticated-api-access-via-ai-scanner-endpointsnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000