Plattform
go
Komponente
panel
Behoben in
3.9.1
CVE-2026-33746 is a critical vulnerability affecting Convoy Panel versions 3.9.0-beta up to, but not including, 4.5.1. This vulnerability stems from a flaw in the JWTService::decode() method, which fails to properly verify the cryptographic signature of JSON Web Tokens (JWTs). An attacker can exploit this to forge or tamper with JWT payloads, potentially gaining unauthorized access to the system. A fix is available in version 4.5.1.
The impact of CVE-2026-33746 is severe. An attacker who successfully exploits this vulnerability can forge JWT tokens, effectively impersonating any user within the Convoy Panel system. This includes administrators, allowing complete control over the panel's configuration and hosted virtual machines. Attackers could modify user UUIDs within the JWT payload to gain access to sensitive data or perform unauthorized actions on behalf of other users. The lack of signature verification means that even a slightly modified token will be accepted as valid, making detection difficult without specific monitoring. This vulnerability shares similarities with other JWT-related vulnerabilities where improper validation leads to authentication bypass.
CVE-2026-33746 was published on 2026-04-02. It is listed on the CISA KEV catalog, indicating a medium probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's severity and ease of exploitation. Active campaigns targeting Convoy Panel are not currently confirmed, but the vulnerability's critical nature makes it a high-value target.
Hosting businesses utilizing Convoy Panel to manage their KVM infrastructure are at significant risk. Specifically, deployments using older versions (3.9.0-beta through 4.5.0) are vulnerable. Shared hosting environments where multiple users share a single Convoy Panel instance are particularly exposed, as a compromise of one user's account could lead to broader system access.
• linux / server:
journalctl -u convoy-panel | grep -i "JWT decode failed"• generic web:
curl -I <convoy_panel_url>/api/v1/users/me | grep -i "Authorization: Bearer"Inspect the Authorization header for malformed or suspicious JWT tokens. • generic web: Review Convoy Panel access logs for unusual user agent strings or IP addresses attempting to access sensitive endpoints.
disclosure
kev
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33746 is to immediately upgrade Convoy Panel to version 4.5.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While not a complete solution, restricting network access to the Convoy Panel to trusted sources can reduce the attack surface. Implement strict input validation on all user-supplied data to minimize the potential for payload manipulation. Monitor JWT logs for unusual activity or suspicious token patterns. Consider using a Web Application Firewall (WAF) with JWT validation capabilities to detect and block malicious requests. After upgrading, confirm the fix by attempting to forge a JWT token and verifying that it is rejected by the system.
Aktualisieren Sie Convoy Panel auf Version 4.5.1 oder höher. Diese Version behebt die JWT-Signaturverifikations-Bypass-Schwachstelle. Das Update stellt sicher, dass JWT-Token korrekt validiert werden, wodurch die Authentifizierung als beliebige Benutzer verhindert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33746 is a critical vulnerability in Convoy Panel versions 3.9.0-beta through 4.5.0 where JWT tokens are not properly validated, allowing attackers to forge or tamper with payloads.
If you are running Convoy Panel versions 3.9.0-beta through 4.5.0, you are affected by this vulnerability. Upgrade immediately.
Upgrade Convoy Panel to version 4.5.1 or later. Consider a WAF as a temporary mitigation if immediate upgrade is not possible.
While no active campaigns are confirmed, the vulnerability is listed on the CISA KEV catalog, suggesting a potential for exploitation.
Refer to the Convoy Panel security advisories on their official website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.