Platform
go
Component
panel
Fixed in
3.9.1
CVE-2026-33746 is a critical vulnerability affecting Convoy Panel versions 3.9.0-beta up to, but not including, 4.5.1. This vulnerability stems from a flaw in the JWTService::decode() method, which fails to properly verify the cryptographic signature of JSON Web Tokens (JWTs). An attacker can exploit this to forge or tamper with JWT payloads, potentially gaining unauthorized access to the system. A fix is available in version 4.5.1.
The impact of CVE-2026-33746 is severe. An attacker can craft malicious JWT tokens with altered payloads, specifically targeting the user_uuid claim. By successfully forging these tokens, an attacker could impersonate legitimate users, escalate privileges, and gain complete control over the Convoy Panel. This could lead to unauthorized access to managed KVM servers, data breaches, and potentially complete compromise of the hosting infrastructure. The lack of signature verification means that even if the token's time-based claims (exp, nbf, iat) are valid, a malicious actor can modify the payload without detection. This vulnerability shares similarities with other JWT-related vulnerabilities where improper validation leads to authentication bypass.
CVE-2026-33746 is currently listed on the CISA KEV catalog, indicating a medium probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's severity and ease of exploitation. The vulnerability was publicly disclosed on 2026-04-02. Active campaigns targeting Convoy Panel are not currently confirmed, but the KEV listing suggests increased scrutiny and potential targeting.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33746 is to immediately upgrade Convoy Panel to version 4.5.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct workaround is difficult without modifying the Convoy Panel code, implementing a reverse proxy or Web Application Firewall (WAF) with JWT validation capabilities before the Convoy Panel can provide an additional layer of defense. Configure the WAF to strictly validate JWT signatures and reject any tokens that fail verification. Monitor Convoy Panel logs for suspicious JWT activity, such as unexpected user IDs or frequent token re-issuance. After upgrading, confirm the fix by attempting to forge a JWT token and verifying that it is rejected by the system.
Update Convoy Panel to version 4.5.1 or higher. This version fixes the JWT signature verification bypass vulnerability. The update ensures that JWT tokens are validated correctly, preventing authentication as arbitrary users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33746 is a critical vulnerability in Convoy Panel versions 3.9.0-beta through 4.5.0 where JWT tokens are not properly validated, allowing attackers to forge or tamper with payloads.
If you are running Convoy Panel versions 3.9.0-beta through 4.5.0, you are affected by this vulnerability. Upgrade immediately.
Upgrade Convoy Panel to version 4.5.1 or later. Consider a WAF as a temporary mitigation if immediate upgrade is not possible.
While no active campaigns are confirmed, the vulnerability is listed on the CISA KEV catalog, suggesting a potential for exploitation.
Refer to the Convoy Panel security advisories on their official website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.