CVE-2026-34233 is an improper access control vulnerability (CWE-284) in CtrlPanel (open-source billing software) versions prior to 1.2.0. Multiple admin controllers expose datatable() methods accessible via GET requests under the /admin/ route prefix but lack permission or role verification. Although the routes are under /admin/, the middleware does not enforce admin-level authorization on these endpoints. Consequently, any authenticated user, regardless of role, can query these endpoints and retrieve paginated JSON responses containing sensitive administrative data including user PII, payment records, voucher codes, role structures, server ownership, and support tickets. This vulnerability allows unauthorized data enumeration but does not affect data integrity or availability. The vulnerability has been addressed in CtrlPanel version 1.2.0.

The vulnerability allows any authenticated user to access sensitive administrative data that should be restricted to administrators. This includes personally identifiable information, financial transaction data, voucher and coupon codes, role and permission configurations, server ownership details, and support ticket information. The impact is limited to confidentiality loss; there is no indication of integrity or availability compromise. No known exploits in the wild have been reported.

Upgrade CtrlPanel to version 1.2.0 or later, where this improper access control issue has been fixed. Until the upgrade is applied, restrict authenticated user access to the affected admin DataTable endpoints or implement additional access control checks to enforce admin-level permissions on these routes. Patch status is not explicitly stated beyond the fix in version 1.2.0; verify with the vendor advisory for the latest remediation guidance.