CVE-2025-34410
HIGH1Panel 1.10.33-2.0.15 - Cross-Site Request Forgery in Change Username Functionality
Title source: llmDescription
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.
References (3)
Core 3
Core References
Product, Release Notes product
https://github.com/1Panel-dev/1Panel/releases
Product product
https://1panel.pro/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout
Scores
CVSS v3
7.1
EPSS
0.0013
EPSS Percentile
2.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
1Panel-dev/1Panel
1.10.33Go
fit2cloud/1panel
1.10.33-lts - 2.0.15
Published
Dec 10, 2025
Tracked Since
Feb 18, 2026