CSRF Vulnerability in 1Panel Affects User Account Security
CVE-2025-34410

7HIGH

Key Information:

Vendor

Lxware

Status
1panel
Vendor
CVE Published:
10 December 2025

What is CVE-2025-34410?

1Panel versions 1.10.33 to 2.0.15 are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability in the Change Username functionality accessible through the settings panel. Due to insufficient CSRF protections, such as anti-CSRF tokens or proper Origin/Referer validation, an attacker can create a malicious website that, when visited by an authenticated user, prompts a hidden request to change their username. This can result in the unauthorized alteration of the victim's 1Panel username, causing account lockout and potential denial of service as the victim would be unable to access their account afterward.

Affected Version(s)

1Panel 1.10.33 <= 2.0.15

References

https://github.com/1Panel-dev/1Panel/releases
product
https://1panel.pro/
product
https://www.vulncheck.com/advisories/1panel-csrf-in-chang...
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

av01t3x
JSON
.
CVE-2025-34410 : CSRF Vulnerability in 1Panel Affects User Account Security