Introduction
An unauthenticated remote code execution vulnerability in CtrlPanel's web installer is being actively exploited in the wild, giving attackers full command execution on hosting provider infrastructure with zero credentials required. The flaw, scored at CVSS 10.0, affects all CtrlPanel instances running version 1.1.1 or earlier where the installer directory remains accessible.
CtrlPanel is an open source billing and management dashboard designed to integrate with Pterodactyl hosting panels. It serves both new and experienced hosting providers, offering dynamic server billing, automatic server suspension, and Discord integration. Because it sits at the intersection of billing and server management, a compromise of CtrlPanel can cascade into control over the underlying hosting infrastructure.
Technical Information
CVE-2026-34234 is classified under CWE-78 (OS Command Injection) and CWE-284 (Improper Access Control). The vulnerability arises from two distinct architectural weaknesses in the installer logic that, when combined, produce a trivially exploitable unauthenticated RCE chain.
Premature Form Handler Execution
In versions 1.1.1 and earlier, the installer script at public/installer/index.php includes and executes form handler files before it checks for the presence of the install.lock file. This ordering mistake means the form logic becomes active on every request, regardless of whether the application has already been fully installed. Any unauthenticated attacker can submit crafted POST requests to installer endpoints on a production instance.
Unsanitized Shell Command Construction
The second weakness lives in the form handlers themselves. In src/forms/smtp.php, user supplied values are interpolated directly into a shell command string with no escaping:
run_console("php artisan settings:set 'MailSettings' '$key' '$value'",...);
The run_console() function in src/functions/shell.php then passes the constructed command and working directory path to proc_open via bash -c, again without escaping:
$handle = proc_open("cd '$path' && bash -c 'exec -a ServerCPP $command'",...);
Attack Flow
The exploitation path is straightforward:
-
The attacker identifies a CtrlPanel instance by requesting the well known
/installerpath. The official CtrlPanel documentation instructs users to install via this exact URL, making discovery trivial through internet scanning. -
Because the
install.lockcheck occurs after form handlers are loaded, the attacker can submit POST requests to the SMTP configuration form handler on a fully deployed instance. -
The attacker submits a crafted payload that breaks out of the single quoted shell context. A documented exploit payload takes the form:
asdasd'' && bash -c 'malicious_command'
-
This payload terminates the intended shell argument and appends an arbitrary command. The injected command executes with the privileges of the web server process.
-
From this position, the attacker can read
.envfiles containing database credentials and application secrets, establish persistence, and pivot laterally across the network.
No authentication, session tokens, or prior knowledge of the target system is required at any step.
Affected Systems and Versions
| Version | Status |
|---|---|
| 1.1.1 and all prior versions | Vulnerable to unauthenticated RCE |
| 1.2.0 | Patched |
Any CtrlPanel deployment where the public/installer/ directory is accessible over the network is exploitable. This includes instances where installation was completed but the installer files were not removed or restricted, which is the default state.
Vendor Security History
CtrlPanel maintains a formal security policy in their GitHub repository, directing users to report vulnerabilities privately rather than through public issues. In response to CVE-2026-34234, the vendor released version 1.2.0 and published a detailed security advisory (GHSA-jmhr-q9q5-fqwh) outlining the root cause and remediation steps. The turnaround from disclosure to patch release demonstrated reasonable responsiveness, though the active exploitation prior to the patch availability underscores the challenge open source projects face in addressing critical vulnerabilities before they are weaponized.



