CVE-2020-36948
Published: 27 January 2026
Summary
CVE-2020-36948 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Vulnerability Lab (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2020-36948 is a session token vulnerability in the LoginAs module of VestaCP version 0.9.8-26. The flaw arises from insufficient token validation, enabling remote attackers to manipulate authentication tokens and bypass proper checks.
The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-863 (Incorrect Authorization). Successful exploitation allows attackers to access user accounts and perform unauthorized login requests without administrative permissions.
Advisories from VulnCheck and Vulnerability Lab, along with a proof-of-concept exploit on Exploit-DB, document the issue, while the official VestaCP site provides related information. No specific patch details are outlined in the available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30863
Vulnerability details
VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing VestaCP web application allows remote unauthenticated attackers to manipulate session tokens for unauthorized account access, directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access, directly preventing token manipulation exploits that bypass authentication checks in the LoginAs module.
IA-5 ensures proper management and validation of authenticators like session tokens, mitigating insufficient token validation vulnerabilities.
SC-23 protects session authenticity through mechanisms that verify tokens, countering remote manipulation for unauthorized logins.