CVE-2026-34358 is an improper access control vulnerability (CWE-284) in CtrlPanel (open-source billing software) versions prior to 1.2.0. Multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on write methods like store() and update(). This allows any authenticated user to bypass RBAC by sending direct POST or PATCH requests to these endpoints. Affected controllers include ApplicationApiController, CouponController, PartnerController, ShopProductController, VoucherController, ProductController, ServerController, UserController, and ActivityLogController. Exploitation enables privilege escalation and unauthorized administrative actions. The vulnerability is rated high severity with a CVSS 3.1 score of 8.1 (Network attack vector, low attack complexity, requires privileges, no user interaction, impacts confidentiality and integrity).

An authenticated attacker without admin write privileges can escalate their privileges and perform unauthorized administrative actions such as issuing API credentials, generating unlimited coupons and vouchers, modifying partner commissions and discounts, changing shop product pricing and limits, reassigning server ownership and identifiers, and altering user accounts including roles, credits, passwords, and linked Pterodactyl IDs. This leads to a full compromise of administrative functions and potential abuse of the billing system.

This vulnerability has been fixed in CtrlPanel version 1.2.0. Users should upgrade to version 1.2.0 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade availability from the vendor's official repository or website. No additional mitigation is indicated by the vendor advisory.