Cyber Resilience

CVE-2020-36948

HighPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-36948 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Vulnerability Lab (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2020-36948 is a session token vulnerability in the LoginAs module of VestaCP version 0.9.8-26. The flaw arises from insufficient token validation, enabling remote attackers to manipulate authentication tokens and bypass proper checks.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-863 (Incorrect Authorization). Successful exploitation allows attackers to access user accounts and perform unauthorized login requests without administrative permissions.

Advisories from VulnCheck and Vulnerability Lab, along with a proof-of-concept exploit on Exploit-DB, document the issue, while the official VestaCP site provides related information. No specific patch details are outlined in the available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing VestaCP web application allows remote unauthenticated attackers to manipulate session tokens for unauthorized account access, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2024-13291Shared CWE-863
CVE-2026-23989Shared CWE-863
CVE-2025-30744Shared CWE-863
CVE-2024-53553Shared CWE-863
CVE-2026-34532Shared CWE-863
CVE-2026-0562Shared CWE-863

Affected Assets

Vulnerability Lab
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access, directly preventing token manipulation exploits that bypass authentication checks in the LoginAs module.

prevent

IA-5 ensures proper management and validation of authenticators like session tokens, mitigating insufficient token validation vulnerabilities.

prevent

SC-23 protects session authenticity through mechanisms that verify tokens, countering remote manipulation for unauthorized logins.

References