CVE-2025-34410

Name of the Vulnerable Software and Affected Versions 1Panel versions 1.10.33 through 2.0.15

Description 1Panel versions 1.10.33 through 2.0.15 are affected by a cross-site request forgery (CSRF) issue in the Change Username functionality, accessible through the settings panel at the /settings/panel endpoint. The endpoint lacks CSRF protections, such as anti-CSRF tokens or Origin/Referer validation. An attacker can create a malicious webpage that submits a request to change a user's username. If a logged-in user visits this page, their browser sends valid session cookies, allowing the attacker to successfully change the username without the user's knowledge. This can lead to account lockout and denial of service, as the user will be unable to log in with their previous username after the change.

Recommendations 1Panel versions 1.10.33 through 2.0.15 should be updated to a version that includes CSRF protections for the Change Username functionality. As a temporary workaround, consider restricting access to the /settings/panel endpoint to trusted networks or users.