CVE-2025-34410

UNKNOWN 0.0

1Panel CSRF in Change Username Functionality Allows Account Lockout

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.

CWE	CWE-352
Vendor	lxware
Product	1panel
Published	Dec 10, 2025
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for lxware 1panel

Be the first to know when new unknown vulnerabilities affecting lxware 1panel are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LXware / 1Panel

1.10.33 ≤ 2.0.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/1Panel-dev/1Panel/releases 1panel.pro: https://1panel.pro/ vulncheck.com: https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout

Credits

av01t3x