ConvoyPanel is a KVM server management panel widely used by hosting providers. Versions from 3.9.0-beta up to but not including 4.5.1 contain a critical vulnerability (CVE-2026-33746) in the JWTService::decode() method, which is responsible for decoding JSON Web Tokens (JWTs) used in authentication. Although the method configures a symmetric HMAC-SHA256 signer via the lcobucci/jwt library, it fails to enforce signature verification by omitting the SignedWith constraint during token validation. Instead, it only validates time-based claims such as expiration (exp), not-before (nbf), and issued-at (iat) using the StrictValidAt constraint. This means that an attacker can craft or tamper with JWT payloads, including the user_uuid claim, and the system will accept these tokens as valid if the time claims are correct. This flaw directly impacts the Single Sign-On (SSO) authentication flow handled by LoginController::authorizeToken, allowing attackers to authenticate as any user without possessing valid credentials or a valid signature. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-347 (Improper Verification of Cryptographic Signature). The issue was publicly disclosed and patched in ConvoyPanel version 4.5.1. The CVSS v3.1 base score is 9.8 (critical), reflecting network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.

This vulnerability allows attackers to bypass authentication controls entirely by forging JWT tokens, effectively granting unauthorized access to any user account within the ConvoyPanel system. Given that ConvoyPanel is used for managing KVM servers in hosting environments, successful exploitation could lead to full administrative control over virtualized server infrastructure. This could result in data breaches, service disruption, unauthorized resource usage, and lateral movement within hosting environments. The compromise of hosting management panels can also facilitate further attacks on hosted clients, amplifying the impact. Since no authentication or user interaction is required, and the flaw is exploitable remotely over the network, the risk is severe for organizations relying on vulnerable versions. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the criticality of patching. The vulnerability undermines trust in the authentication mechanism, potentially leading to widespread unauthorized access and operational disruption.

The primary mitigation is to upgrade ConvoyPanel installations to version 4.5.1 or later, where the JWT signature verification issue is fixed by including the SignedWith constraint in the validation process. Until patching is possible, organizations should consider implementing compensating controls such as restricting network access to the management panel via firewalls or VPNs, enabling multi-factor authentication if supported, and monitoring authentication logs for suspicious token usage or anomalous login patterns. Reviewing and rotating any credentials or tokens that may have been exposed is also advisable. Additionally, security teams should audit their JWT handling code to ensure proper signature verification is enforced and consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malformed or suspicious JWT tokens. Regular vulnerability scanning and penetration testing focused on authentication mechanisms can help identify similar issues proactively.