Primary

Context

1Panel Untrusted X-Forwarded-For Header Vulnerability Bypassing IP Access Controls

Vulnerability

Patched

A vulnerability in 1Panel, a web-based Linux server management control panel, allows remote clients to spoof the X-Forwarded-For header and bypass IP-based access controls. This issue affects all versions of 1Panel through 2.0.14. The vulnerability arises because the server trusts all reverse-proxy headers by default, allowing clients to manipulate their perceived IP address. As a result, protections that rely on IP whitelists or localhost checks are rendered ineffective.

Impact

Exploitation of this vulnerability allows remote clients to bypass all IP-based access controls, including whitelists and localhost-only checks, by spoofing their IP address in the X-Forwarded-For header.

Remediation

Users can upgrade to 1Panel version 2.0.15 to address this vulnerability.

Added: Dec 9, 2025, 6:32 PM

Updated: Dec 10, 2025, 12:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.3

remediation

7.7

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.3

remediation

7.7

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

1Panel Untrusted X-Forwarded-For Header Vulnerability Bypassing IP Access Controls

Vulnerability

Impact

Remediation

Affected Products

1Panel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating