CVE-2026-34358

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0

Description Broken access control exists where multiple admin controllers enforce permission checks on form display methods but omit them on corresponding write methods. This allows authenticated users to bypass Role-Based Access Control (RBAC) via direct POST or PATCH requests. Specifically, the store() and update() methods in 'ApplicationApiController' (admin.api.write), 'CouponController' (admin.coupons.write), 'PartnerController' (admin.partners.write), 'ShopProductController' (admin.store.write), 'UsefulLinkController' (admin.useful links.write), and 'VoucherController' (admin.voucher.write) lack checks. The update() method is missing checks in 'ProductController' (admin.products.edit), 'ServerController' (write/change owner/change identifier), and 'UserController' (write/change email/change credits/change username/change password/change role/change referral/change ptero/change serverlimit). Additionally, 'ActivityLogController' contains empty stub store() and update() methods that accept any request. An attacker can issue API credentials, generate coupons and vouchers, alter pricing, reassign server ownership, modify user roles and passwords for privilege escalation, and abuse logBackIn() to interfere with admin impersonation sessions.

Recommendations Update to version 1.2.0.