1Panel Cross-Site Request Forgery Vulnerability in Change Username Functionality

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in 1Panel versions 1.10.33 prior to 2.0.15. The issue resides in the Change Username feature within the settings panel. The vulnerable endpoint lacks proper CSRF protections, such as anti-CSRF tokens or validation of the Origin/Referer headers. This allows an attacker to create a malicious webpage that, when visited by an authenticated user, can successfully change the user's 1Panel username without consent. Following the unauthorized username change, the user is logged out and locked out of their account, as they cannot log in with the previous username, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for unauthorized username changes, causing account lockout and denial-of-service for the affected user.

Added: Dec 10, 2025, 4:26 PM

Updated: Dec 10, 2025, 4:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.4

remediation

0.0

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.4

remediation

0.0

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

1Panel Cross-Site Request Forgery Vulnerability in Change Username Functionality

Vulnerability

Impact

Affected Products

1Panel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating