ZeroPath at Black Hat USA 2026

CtrlPanel CVE-2026-34234: Brief Summary of a Critical Unauthenticated RCE in the Web Installer

A brief summary of CVE-2026-34234, a CVSS 10.0 unauthenticated remote code execution vulnerability in CtrlPanel's web installer that is actively exploited in the wild, affecting versions 1.1.1 and prior.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

CtrlPanel CVE-2026-34234: Brief Summary of a Critical Unauthenticated RCE in the Web Installer
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated remote code execution vulnerability in CtrlPanel's web installer is being actively exploited in the wild, giving attackers full command execution on hosting provider infrastructure with zero credentials required. The flaw, scored at CVSS 10.0, affects all CtrlPanel instances running version 1.1.1 or earlier where the installer directory remains accessible.

CtrlPanel is an open source billing and management dashboard designed to integrate with Pterodactyl hosting panels. It serves both new and experienced hosting providers, offering dynamic server billing, automatic server suspension, and Discord integration. Because it sits at the intersection of billing and server management, a compromise of CtrlPanel can cascade into control over the underlying hosting infrastructure.

Technical Information

CVE-2026-34234 is classified under CWE-78 (OS Command Injection) and CWE-284 (Improper Access Control). The vulnerability arises from two distinct architectural weaknesses in the installer logic that, when combined, produce a trivially exploitable unauthenticated RCE chain.

Premature Form Handler Execution

In versions 1.1.1 and earlier, the installer script at public/installer/index.php includes and executes form handler files before it checks for the presence of the install.lock file. This ordering mistake means the form logic becomes active on every request, regardless of whether the application has already been fully installed. Any unauthenticated attacker can submit crafted POST requests to installer endpoints on a production instance.

Unsanitized Shell Command Construction

The second weakness lives in the form handlers themselves. In src/forms/smtp.php, user supplied values are interpolated directly into a shell command string with no escaping:

run_console("php artisan settings:set 'MailSettings' '$key' '$value'",...);

The run_console() function in src/functions/shell.php then passes the constructed command and working directory path to proc_open via bash -c, again without escaping:

$handle = proc_open("cd '$path' && bash -c 'exec -a ServerCPP $command'",...);

Attack Flow

The exploitation path is straightforward:

  1. The attacker identifies a CtrlPanel instance by requesting the well known /installer path. The official CtrlPanel documentation instructs users to install via this exact URL, making discovery trivial through internet scanning.

  2. Because the install.lock check occurs after form handlers are loaded, the attacker can submit POST requests to the SMTP configuration form handler on a fully deployed instance.

  3. The attacker submits a crafted payload that breaks out of the single quoted shell context. A documented exploit payload takes the form:

asdasd'' && bash -c 'malicious_command'
  1. This payload terminates the intended shell argument and appends an arbitrary command. The injected command executes with the privileges of the web server process.

  2. From this position, the attacker can read .env files containing database credentials and application secrets, establish persistence, and pivot laterally across the network.

No authentication, session tokens, or prior knowledge of the target system is required at any step.

Affected Systems and Versions

VersionStatus
1.1.1 and all prior versionsVulnerable to unauthenticated RCE
1.2.0Patched

Any CtrlPanel deployment where the public/installer/ directory is accessible over the network is exploitable. This includes instances where installation was completed but the installer files were not removed or restricted, which is the default state.

Vendor Security History

CtrlPanel maintains a formal security policy in their GitHub repository, directing users to report vulnerabilities privately rather than through public issues. In response to CVE-2026-34234, the vendor released version 1.2.0 and published a detailed security advisory (GHSA-jmhr-q9q5-fqwh) outlining the root cause and remediation steps. The turnaround from disclosure to patch release demonstrated reasonable responsiveness, though the active exploitation prior to the patch availability underscores the challenge open source projects face in addressing critical vulnerabilities before they are weaponized.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization