CRITICAL🇵🇱 Wersja polska

CVE-2026-33746

CVSS 9.8v3.1pub. 2026-04-02upd. 2026-04-16

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode() method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated time-based claims (exp, nbf, iat) using the StrictValidAt constraint. The SignedWith constraint was not included in the validation step. This means an attacker could forge or tamper with JWT token payloads — such as modifying the user_uuid claim — and the token would be accepted as valid, as long as the time-based claims were satisfied. This directly impacts the SSO authentication flow (LoginController::authorizeToken), allowing an attacker to authenticate as any user by crafting a token with an arbitrary user_uuid. This issue has been patched in version 4.5.1.

🤖 AI Analysis
How it works

The JWTService::decode() method configured a symmetric HMAC-SHA256 signer using the lcobucci/jwt library, but during validation applied only the StrictValidAt constraint checking temporal claims (exp, nbf, iat). The SignedWith constraint verifying the cryptographic signature was not included in the validation step. An attacker can therefore independently construct a JWT token with any user_uuid claim value, and the system will accept it as valid as long as the temporal claims are satisfied. The forged token can be used directly in the SSO flow (LoginController::authorizeToken), resulting in full account takeover of the selected user.

Impact

An attacker without any credentials can authenticate as any user in the system, including an administrator, gaining full access to the KVM server management panel. This leads to complete compromise of confidentiality, integrity, and availability of the managed infrastructure.

Mitigation & patch

Convoy should be updated to version 4.5.1, which introduces JWT signature verification using the SignedWith constraint. Patches are available in the vendor's repository: https://github.com/ConvoyPanel/panel/releases/tag/v4.5.1

Who is affected

Convoy (ConvoyPanel) in versions 3.9.0-beta through 4.5.0 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Convoypanel Convoy

    APP
    Convoypanel
    < 4.5.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References