PatchSiren cyber security CVE debrief

CVE-2026-34233 Ctrlpanel-gg CVE debrief

## Summary **CVE-2026-34233** is a **broken access control** vulnerability in CtrlPanel, an open-source billing platform for hosting providers. In versions 1.1.1 and prior, multiple administrative DataTable endpoints under the `/admin/` route prefix lack authorization checks, allowing any authenticated user—regardless of role—to query sensitive administrative data. The issue was disclosed on 2026-05-19 and fixed in version 1.2.0. ## Technical Details The vulnerability stems from **missing permission/role verification** in `datatable()` methods within admin controllers. While these routes fall under the `/admin/` prefix (which operators may reasonably assume is protected), the applied middleware does not enforce admin-level authorization on these specific endpoints. **Affected endpoints expose:** - User PII - Payment and transaction records - Active voucher and coupon codes - Role and permission structures - Server ownership mappings - Support ticket contents The CVSS 3.1 vector (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`) reflects **Network** attack vector, **Low** attack complexity, **Low** privileges required (any authenticated user), **None** user interaction, **Unchanged** scope, **High** confidentiality impact, with no integrity or availability impact. ## Affected Versions - **Vulnerable:** CtrlPanel ≤ 1.1.1 - **Fixed:** CtrlPanel 1.2.0 ## Exploitation & Impact An attacker with any valid user account can send GET requests to affected DataTable endpoints and receive paginated JSON responses containing administrative data. This enables: - **Data enumeration** of customer and operational records - **Information disclosure** of financial and support data - **Reconnaissance** of internal permission structures The vulnerability is **actively exploitable** with minimal prerequisites—only standard user authentication is required. ## Recommended Actions | Priority | Action | |----------|--------| | **Immediate** | Upgrade to CtrlPanel **1.2.0** or later | | **Short-term** | Audit access logs for unauthorized queries to `/admin/*` DataTable endpoints | | **Medium-term** | Review custom middleware implementations for similar authorization

Vendor: Ctrlpanel-gg
Product: panel
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-19
Original CVE updated: 2026-05-20
Advisory published: 2026-05-19
Advisory updated: 2026-05-20

Who should care

CtrlPanel hosting provider operators, security teams managing billing platforms, compliance officers responsible for customer data protection, and developers maintaining forked or customized CtrlPanel installations

Technical summary

Missing authorization checks in CtrlPanel admin DataTable endpoints (≤1.1.1) allow authenticated users to retrieve sensitive administrative data including PII, payment records, and support tickets via GET requests to /admin/ routes. Fixed in 1.2.0.

Defensive priority

medium

Recommended defensive actions

Upgrade CtrlPanel to version 1.2.0 or later to remediate missing authorization checks on administrative DataTable endpoints
Review web server and application logs for unauthorized GET requests to /admin/ routes returning paginated JSON responses prior to patching
Verify that middleware applied to /admin/ route groups enforces role-based access control on all sub-endpoints including datatable() methods
Conduct access control audit of custom or forked CtrlPanel installations for similar authorization gaps in administrative controllers

Evidence notes

Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-mj5g-j7fq-7hc4 and release tag 1.2.0. CVSS vector and CWE classifications (CWE-284, CWE-862) sourced from NVD record. No KEV listing or known ransomware campaign use identified.

Official resources

2026-05-19