Home

Description

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-24 | Updated 2026-04-27 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version before 2.4.4
affected

0a099b1b193946555fbdd387a28486b1521f9961 (git)
unaffected

Credits

Djibril Mounkoro finder

References

itsrez.re/post/cyberpanel-rce technical-description exploit

github.com/...ommit/0a099b1b193946555fbdd387a28486b1521f9961 patch

www.vulncheck.com/...ted-api-access-via-ai-scanner-endpoints third-party-advisory

cve.org (CVE-2026-41473)

nvd.nist.gov (CVE-2026-41473)

Download JSON