CRITICAL🇵🇱 Wersja polska

CVE-2025-30206

CVSS 9.8v3.1pub. 2025-04-15upd. 2026-04-15

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.

🤖 AI Analysis
How it works

The default Dpanel configuration contains a hardcoded secret used to sign JWT tokens. An attacker analyzes the application source code (publicly available), discovers the embedded secret, and uses it to generate their own correctly signed JWT tokens. Forged tokens are accepted by the authentication mechanism as legitimate, allowing impersonation of privileged users and gaining unauthorized administrative access to the panel. Full access to the Docker panel translates into control over the host running Dpanel.

Impact

An attacker can completely bypass authentication, obtain administrator privileges, and gain full control over the host — including executing arbitrary commands, accessing sensitive data, escalating privileges, and performing lateral movement across the network.

Mitigation & patch

Dpanel should be updated to version 1.6.1, where the issue has been fixed. As a workaround, it is possible to manually replace the hardcoded secret with a secure, randomly generated value loaded from a secure configuration store.

Who is affected

Dpanel versions before 1.6.1 with default configuration containing hardcoded JWT secret

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPEContainer
CWE
References