A high-severity vulnerability in HestiaCP, tracked as CVE-2026-12196, allows a low-privileged user to take over administrator accounts by abusing the control panel's panel cron job feature. The flaw stems from broken authorization in cron job handling, where an undefined variable in an access-control check lets unauthorized users modify privileged jobs; the issue is compounded by missing CSRF token validation. Security reporting says the bug is remotely exploitable and carries a CVSS 4.0 score of 8.3.
By altering a privileged cron job, an attacker can trigger HestiaCP management scripts that run with passwordless sudo, including scheduling commands to reset the admin password. Researchers said successful exploitation can lead to full administrator takeover within the application and compromise of the underlying web server, amounting to effective remote code execution. A manual fix was published in GitHub pull request #5440, while reports indicated a formal HestiaCP release had not yet been issued at the time of disclosure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
A CVE feed entry published CVE-2026-12196 as a high-severity broken access control flaw in HestiaCP, noting remote exploitability, administrator account takeover risk, underlying webserver compromise, and a CVSS 4.0 score of 8.3. The entry referenced the HestiaCP GitHub pull request and the Project Black technical write-up.
Project Black published details of CVE-2026-12196, describing how a broken authorization check and missing CSRF validation in HestiaCP panel cron job handling let a low-privileged user modify privileged jobs, reset the admin password, and achieve effective remote code execution. The write-up said no formal HestiaCP release had been issued yet, though a manual patch was available via GitHub pull request #5440.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.