Executive Summary
A maximum-severity remote code execution vulnerability (CVE-2026-34234, CVSS 10.0) has been disclosed in CtrlPanel, a popular open-source billing and client management platform used by web hosting providers. The flaw resides in the public-facing web installer (public/installer/index.php) and can be triggered by an unauthenticated attacker with access to the installer URL.
CVSS Score: 10.0 (Critical)
The root cause is a logic ordering error: the installer includes and executes user-supplied form handler logic before checking for the presence of an install.lock file that would block re-installation. An attacker who can reach the installer endpoint can supply a malicious payload and achieve code execution on the underlying server — no credentials required.
Hosting providers running CtrlPanel should treat this as an immediate emergency patch or mitigation priority.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34234 |
| CVSS Score | 10.0 (Critical) |
| Type | Unauthenticated Remote Code Execution |
| Attack Vector | Network (HTTP/HTTPS) |
| Privileges Required | None |
| User Interaction | None |
| Affected File | public/installer/index.php |
| Affected Versions | CtrlPanel 1.1.1 and all prior releases |
| Patch Available | Pending — see mitigations below |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| CtrlPanel | 1.1.1 and all prior releases | Block installer access; apply patch when available |
Technical Analysis
Root Cause
The web installer at public/installer/index.php is designed to run only once. After initial setup completes, a file named install.lock is written to disk to prevent the installer from executing again. However, the code evaluates and executes the POST form handlers — which perform database configuration, file writes, and server operations — before checking whether install.lock already exists.
This means an attacker who submits a crafted POST request to the installer endpoint can trigger the form handler execution path regardless of whether the application was previously installed.
Attack Flow
1. Attacker discovers a CtrlPanel instance with the installer URL
publicly accessible (common in default web hosting configurations)
2. Attacker crafts a POST request to /installer/index.php with a
malicious payload embedded in form data
3. installer/index.php includes and runs the form handler logic
BEFORE checking for install.lock
4. Malicious payload executes on the server in the web server
process context (e.g., www-data)
5. Attacker achieves RCE — reverse shell, webshell, file write,
or credential theftWhy Unauthenticated Access Is Possible
In many CtrlPanel deployments, the public/ directory is web-accessible by design — it is the document root. The installer file ships with the package and may remain accessible on production systems if:
- The operator never removed or restricted the installer post-setup
- The server has no filesystem-level protection on the installer path
- The
install.lockcheck is the only protection mechanism — and it is bypassed by this vulnerability
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary code execution as the web server user |
| Full Application Compromise | Attacker can overwrite CtrlPanel configuration, inject backdoors |
| Database Access | Database credentials stored in the environment are accessible post-exploitation |
| Customer Data Exposure | Hosting provider client data, invoices, and credentials at risk |
| Lateral Movement | Server-level access enables pivot to other hosted applications |
| Ransomware / Wiper | Attacker can destroy hosted data or deploy destructive payloads |
Immediate Mitigations
Since a vendor patch was not available at the time of this advisory's publication, apply the following mitigations immediately.
Option 1: Restrict Installer Access at the Web Server Level
Apache (.htaccess):
# Block all access to the installer directory
<Directory "/var/www/html/public/installer">
Require all denied
</Directory>
# Or deny specific file
<Files "installer/index.php">
Require all denied
</Files>Nginx:
location ~ ^/installer {
deny all;
return 403;
}Option 2: Remove the Installer File
If the application is already installed and configured, the safest mitigation is to delete the installer entirely:
# Remove the installer directory from the document root
rm -rf /var/www/html/public/installer/
# Verify removal
ls /var/www/html/public/installer/ 2>&1 || echo "Installer directory removed"Option 3: WAF Rule
If using a web application firewall:
Block: POST requests matching path /installer/index.php
Block: GET requests to /installer/* from non-management source IPsDetection and Forensics
If you suspect this vulnerability has been exploited, look for the following indicators:
| Indicator | Description |
|---|---|
POST requests to /installer/index.php in access logs | Exploitation attempts |
| Unexpected PHP files in document root or temp directories | Webshell drops |
| New PHP files with obfuscated or encoded content | Persistent backdoor |
| Unexpected outbound connections from the web server process | Reverse shell or data exfiltration |
Modified .env or config files | Configuration tampering |
| Database user creation or privilege escalation | Post-exploitation persistence |
# Search for unexpected PHP files created recently
find /var/www/html -name "*.php" -newer /var/www/html/composer.json -mtime -7
# Review recent access log entries for installer POST requests
grep "POST.*installer" /var/log/nginx/access.log
grep "POST.*installer" /var/log/apache2/access.log
# Look for PHP files containing suspicious system call patterns
grep -r "passthru\|system\|shell_exec\|proc_open" /var/www/html/public/ \
--include="*.php" -lPost-Remediation Checklist
- Remove or restrict the installer endpoint immediately
- Audit web server access logs for POST requests to
/installer/index.php - Scan document root for unexpected or recently modified PHP files
- Rotate all credentials stored in
.envand config files (database, SMTP, API keys) - Review database users for unauthorized additions or privilege changes
- Check for persistence — scheduled tasks, modified autoloaders, injected service providers
- Apply vendor patch as soon as one is available from the CtrlPanel maintainers
- Notify affected customers if a compromise is confirmed