Close this search box.

CyberPanel v2.3.5 and Security Release Announcement

Table of Contents

Get up to 50% off now

Become a partner with CyberPanel and gain access to an incredible offer of up to 50% off on CyberPanel add-ons. Plus, as a partner, you’ll also benefit from comprehensive marketing support and a whole lot more. Join us on this journey today!

Hello everyone,

I hope this message finds you well. We are reaching out to inform you about the recent release of CyberPanel version v2.3.5, which includes major bug fixes and important security enhancements.

New Features

  • Onboarding/Setup Wizard
  • Docker Apps
  • Mautic Version 5 and PHP 8 Support
  • Add Rustic Support for ARM
  • Updated MariaDB Version (to v10.110
  • Database Manager
  • Upgrade CyberPanel via UI

Bug Fixes

Security Problems

Before delving into the details, it’s essential to emphasize that CyberPanel is an open-source platform, subject to continuous scrutiny by security researchers. We have undergone a comprehensive audit conducted by Rack911, with whom we collaborated for over a year to address various security concerns. The findings from this audit, coupled with ongoing research by Altion, have resulted in the robust security measures implemented in version v2.3.5.

Here is an overview of the security issues identified and addressed in this release:

  1. WebTerminal Authentication Bypass: An issue related to WebTerminal Authentication Bypass, present between versions 1.9.2 and 2.1.1, has been thoroughly addressed. To further enhance security, we have removed this feature entirely from version 2.1.1 onward.
  2. Authentication Bypass and Local File Inclusion (LFI) in CloudAPI: A security concern related to the CloudAPI function has been resolved. It’s important to note that API access must be explicitly opened for external access, and by default, it is disabled.
  3. Authentication Bypass in File Manager’s Upload Functionality: A vulnerability in the File Manager upload functionality, caused by a human error, has been rectified in version 2.3.5.
  4. Security Middleware Bypass and Bypass of Security Controls in commandInjectionCheck(): Two security concerns related to the Security Middleware have been addressed. Thorough security checks have been implemented, covering most command injection scenarios. Additionally, adjustments have been made to functions that bypass checks when run by root or triggered externally, such as Git webhooks.
  5. Insecure Generation and Storage of API Tokens: The generation and storage of API tokens have been strengthened to ensure a more secure process.
  6. Broken Authentication and Local File Inclusion (LFI) in ‘/api/FetchRemoteTransferStatus’ endpoint: An issue related to the ‘FetchRemoteTransferStatus’ endpoint has been fixed. While the endpoint had proper authentication in place, a specific command was running before authentication completion. This has been rectified in version 2.3.5.

We want to reassure you that the security concerns identified were thoroughly assessed, and the necessary measures have been taken to fortify CyberPanel’s security. Your continuous support and trust are paramount, and we encourage all users to upgrade to version 2.3.5 promptly to benefit from these enhancements.

Thank you for your understanding and ongoing collaboration.

Tech Delivered to Your Inbox!

Get exclusive access to all things tech-savvy, and be the first to receive 

the latest updates directly in your inbox.

Shoaib Khan

Unlock Benefits

Become a Community Member

Setting up CyberPanel is a breeze. We’ll handle the installation so you can concentrate on your website. Start now for a secure, stable, and blazing-fast performance!