CVE-2026-33746
Published: 02 April 2026
Summary
CVE-2026-33746 is a critical-severity Improper Authentication (CWE-287) vulnerability in Convoypanel Convoy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-2 requires unique identification and authentication of organizational users, directly preventing acceptance of forged JWT tokens that impersonate users in the SSO authentication flow.
SI-7 mandates integrity verification of software, firmware, and information using cryptographic mechanisms like signatures, directly addressing the failure to verify JWT cryptographic signatures.
IA-5 requires secure management and protection of authenticators such as JWT tokens, helping mitigate forgery risks through proper handling and verification practices.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables forging JWT tokens (due to missing signature verification) to bypass auth in public-facing Convoy panel, directly mapping to T1190 (exploit public-facing app) and T1606 (forge web credentials).
NVD Description
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode() method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it…
more
only validated time-based claims (exp, nbf, iat) using the StrictValidAt constraint. The SignedWith constraint was not included in the validation step. This means an attacker could forge or tamper with JWT token payloads — such as modifying the user_uuid claim — and the token would be accepted as valid, as long as the time-based claims were satisfied. This directly impacts the SSO authentication flow (LoginController::authorizeToken), allowing an attacker to authenticate as any user by crafting a token with an arbitrary user_uuid. This issue has been patched in version 4.5.1.
Deeper analysisAI
CVE-2026-33746 is a critical vulnerability in Convoy, a KVM server management panel for hosting businesses, affecting versions from 3.9.0-beta up to but not including 4.5.1. The issue lies in the JWTService::decode() method, which configures a symmetric HMAC-SHA256 signer via the lcobucci/jwt library but fails to verify the cryptographic signature of JWT tokens. Instead, it only validates time-based claims (exp, nbf, iat) using the StrictValidAt constraint, omitting the SignedWith constraint during validation.
Any unauthenticated attacker with network access can exploit this vulnerability by forging or tampering with JWT token payloads, such as modifying the user_uuid claim to impersonate another user, as long as the time-based claims remain valid. This directly compromises the SSO authentication flow in LoginController::authorizeToken, allowing arbitrary user authentication. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-347 (Improper Verification of Cryptographic Signature).
The vulnerability has been patched in Convoy version 4.5.1. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory at https://github.com/ConvoyPanel/panel/security/advisories/GHSA-92pg-3w49-4w5x and the release notes at https://github.com/ConvoyPanel/panel/releases/tag/v4.5.1.
Details
- CWE(s)