CVE-2026-12196 is a broken access control vulnerability in the HestiaCP panel cronjob feature. HestiaCP distinguishes between ordinary user cron jobs and privileged panel cron jobs; panel cron jobs are intended to be restricted to administrators and execute as the more privileged panel user. According to the provided analysis, the authorization logic protecting modification of panel cron jobs is implemented with an if statement that compares session context and user data against $ROOT_USER, but $ROOT_USER is undefined in the vulnerable code path and evaluates to an empty value. As a result, low-privileged authenticated users can bypass the intended restriction and modify panel cron jobs. The same analysis also states that CSRF validation is missing for the relevant request. Because the panel user can invoke HestiaCP management scripts with passwordless sudo, an attacker can schedule privileged commands such as /usr/local/hestia/bin/v-change-user-password to reset the admin password and gain control of the administrator account. The issue can also lead to effective code execution on the underlying webserver through privileged script execution.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A broken access control vulnerability in the HestiaCP panel cronjob feature that allows low-privilege users to modify cronjob behavior and execute HestiaCP management scripts with passwordless sudo, potentially leading to administrator takeover and compromise of the underlying webserver.
A broken authorization vulnerability in HestiaCP that allows a low-privileged user to modify privileged panel cron jobs, leading to admin account takeover and effective remote code execution via passwordless sudo-accessible administrative scripts.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.