CVE-2025-34410

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://1panel.pro/	Product
https://github.com/1Panel-dev/1Panel/releases	Product Release Notes
https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*

History

23 Dec 2025, 14:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.1
First Time		Fit2cloud 1panel Fit2cloud
References	~~() https://1panel.pro/ -~~	() https://1panel.pro/ - Product
References	~~() https://github.com/1Panel-dev/1Panel/releases -~~	() https://github.com/1Panel-dev/1Panel/releases - Product, Release Notes
References	~~() https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout -~~	() https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout - Third Party Advisory
CPE		cpe:2.3:a:fit2cloud:1panel::::::::

10 Dec 2025, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-10 16:16

Updated : 2025-12-23 14:19

NVD link : CVE-2025-34410

Mitre link : CVE-2025-34410

CVE.ORG link : CVE-2025-34410

JSON object : View

Products Affected

fit2cloud

1panel

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-34410", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-10T16:16:24.793", "references": [{"url": "https://1panel.pro/", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/1Panel-dev/1Panel/releases", "tags": ["Product", "Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "1Panel versions 1.10.33 -\u00a02.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim\u2019s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service."}], "lastModified": "2025-12-23T14:19:13.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4044A6FA-6EC3-4541-99AB-0FE6A1109FAF", "versionEndIncluding": "2.0.15", "versionStartIncluding": "1.10.33-lts"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}