Vulnerability Description
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fit2Cloud | 1Panel | >= 1.10.33-lts, <= 2.0.15 |
Related Weaknesses (CWE)
References
- https://1panel.pro/Product
- https://github.com/1Panel-dev/1Panel/releasesProductRelease Notes
- https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionalitThird Party Advisory
FAQ
What is CVE-2025-34410?
CVE-2025-34410 is a vulnerability with a CVSS score of 7.1 (HIGH). 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does n...
How severe is CVE-2025-34410?
CVE-2025-34410 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34410?
Check the references section above for vendor advisories and patch information. Affected products include: Fit2Cloud 1Panel.