CyberPanel Authentication Bypass Vulnerability in AI Scanner API Endpoints Allowing Unauthenticated Database Injection

A vulnerability exists in CyberPanel versions prior to 2.4.4, allowing unauthenticated remote attackers to bypass authentication on AI Scanner worker API endpoints. This vulnerability enables attackers to write arbitrary data to the database by sending requests to the '/api/ai-scanner/status-webhook' and '/api/ai-scanner/callback' endpoints. The lack of authentication checks can be exploited to cause a denial-of-service by exhausting storage, corrupting scan history records, and contaminating database fields with malicious data.

Impact

Exploitation of this vulnerability leads to unauthorized database modifications, including the injection of malicious data that can be exploited further, such as Cross-Site Scripting (XSS) payloads. Additionally, the vulnerability allows for a denial-of-service condition by flooding the database with excessive junk data, causing storage exhaustion.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/ai-scanner/status-webhook' endpoint without authentication. Include a 'scan_id' in the request body to simulate a status update from the AI scanner. The absence of authentication checks will allow the injection of data into the 'ScanStatusUpdate' records. After injecting data, the same can be done through the '/api/ai-scanner/callback' endpoint, which also lacks authentication and can be used to inject findings into the scan history.

Remediation

Users are advised to update to CyberPanel version 2.4.4 or later, where this vulnerability has been fixed by implementing proper authentication and API key validation for the affected endpoints.