Dpanel Hardcoded JWT Secret Vulnerability Allowing Remote Code Execution

A vulnerability exists in Dpanel, a Docker management visualization tool, due to a hardcoded JWT secret in the default configuration. This flaw enables attackers to generate valid JWT tokens, bypass authentication, and gain unauthorized administrative access, potentially leading to full control over the host machine. Exploitation could result in exposure of sensitive data, unauthorized execution of commands, privilege escalation, or lateral movement within the network. All Dpanel versions prior to 1.6.1 are affected.

Impact

Successful exploitation allows attackers to write arbitrary files to the host machine, with the potential for remote code execution.

Reproduction

The vulnerability can be reproduced by deploying Dpanel with the default configuration, which includes the hardcoded JWT secret. Once the application is running, the secret can be extracted from the source code and used to create legitimate JWT tokens. These tokens can then be used to bypass authentication and gain administrative access to the Dpanel service.

Remediation

Users are advised to update to Dpanel version 1.6.1 or later. For those using earlier versions, the hardcoded secret should be replaced with a securely generated value and loaded from a secure configuration storage.