CtrlPanel Privilege Escalation (CVE-2026-34358) Allows Full Admin Takeover

May 20, 2026 01:16 /HIGH /CVSS 8.1/10

Written by SCW Vulnerability Desk Vulnerability Intelligence

SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-284cwe-862

CtrlPanel Privilege Escalation (CVE-2026-34358) Allows Full Admin Takeover

The National Vulnerability Database has detailed CVE-2026-34358, a severe broken access control flaw in CtrlPanel, an open-source billing software for hosting providers. Versions 1.1.1 and prior are affected. The vulnerability stems from inconsistent permission checks: admin controllers enforce RBAC on form display methods but critically omit these checks on corresponding write methods. This means any authenticated user, regardless of their assigned role, can bypass privilege restrictions via direct POST/PATCH requests.

Attackers can exploit this to achieve full privilege escalation. This includes issuing API credentials, generating unlimited coupons and vouchers, manipulating partner commissions, altering shop product pricing, reassigning server ownership or identifiers, and modifying user accounts — including roles, credits, passwords, and linked Pterodactyl IDs. The vulnerability also allows abuse of logBackIn() to interfere with admin impersonation sessions without the necessary login_as permission. This isn’t just a minor bypass; it’s a complete administrative takeover from a standard authenticated user.

This flaw impacts the core integrity of hosting provider operations using CtrlPanel. The National Vulnerability Database assigns it a CVSS score of 8.1 (HIGH), underscoring the severity. The issue has been addressed in CtrlPanel version 1.2.0, making patching critical for affected organizations.

What This Means For You

If your organization uses CtrlPanel versions 1.1.1 or prior, you are exposed to full privilege escalation by any authenticated user. You must immediately update to version 1.2.0 to remediate CVE-2026-34358. After patching, audit all admin actions and user account changes for suspicious activity between the exposure window and patch deployment.

Related ATT&CK Techniques

T1078.002 Valid Accounts: Default Accounts Initial Access T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control Privilege Escalation T1078.004 Valid Accounts: Web Services Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.002 Privilege Escalation

CtrlPanel Unauthenticated Admin Write Access - CVE-2026-34358

Sigma YAML — free preview

title: CtrlPanel Unauthenticated Admin Write Access - CVE-2026-34358
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects direct POST/PATCH requests to specific CtrlPanel admin write endpoints that are vulnerable in versions 1.1.1 and prior due to missing permission checks. This allows any authenticated user to perform administrative actions, including privilege escalation, by directly manipulating these endpoints. The rule specifically targets the vulnerable URIs and HTTP methods.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-34358/
tags:
  - attack.privilege_escalation
  - attack.t1078.002
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
          - 'PATCH'
      cs-uri:
          - '/admin/api/write'
          - '/admin/coupons/write'
          - '/admin/partners/write'
          - '/admin/store/write'
          - '/admin/useful_links/write'
          - '/admin/voucher/write'
          - '/admin/products/edit'
          - '/admin/server/write/change_owner/change_identifier'
          - '/admin/user/write/change_email/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit'
          - '/admin/activity_log/store'
          - '/admin/activity_log/update'
          - '/admin/user/logBackIn'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

ID	Type	Indicator
CVE-2026-34358	Privilege Escalation	CtrlPanel versions 1.1.1 and prior
CVE-2026-34358	Auth Bypass	CtrlPanel: ApplicationApiController (admin.api.write) missing permission checks on store()/update() methods
CVE-2026-34358	Auth Bypass	CtrlPanel: CouponController (admin.coupons.write) missing permission checks on store()/update() methods
CVE-2026-34358	Auth Bypass	CtrlPanel: PartnerController (admin.partners.write) missing permission checks on store()/update() methods
CVE-2026-34358	Auth Bypass	CtrlPanel: ShopProductController (admin.store.write) missing permission checks on store()/update() methods

Written by SCW Vulnerability Desk

Source & Attribution

Source Platform	NVD
Channel	National Vulnerability Database
Published	May 20, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

What This Means For You

Related ATT&CK Techniques

🛡️ Detection Rules

CtrlPanel Unauthenticated Admin Write Access - CVE-2026-34358

Indicators of Compromise

Related coverage

CVE-2026-20240 — Denial of Service

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged