Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-41473

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Ver en NVD

Análisis

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API. Remote attackers can send unauthenticated requests to internal webhooks to write arbitrary data to the database, leading to potential data corruption or denial of service.

Severidad

Puntaje: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-306

EPSS

Probabilidad de explotación (próx. 30 días): 0.0072 (0.7%)
Percentil: 72.5%
EPSS: 2026-05-06

Afecta

cyberpanel:cyberpanel

Descripción técnica

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Publicada: 24/4/2026, 21:16:19
Última modificación: 28/4/2026, 15:44:53

Referencias

InicioEventosBlogRecursosEquipo