HestiaCP Broken Access Control Flaw Enables Admin Takeover and RCE
A high-severity vulnerability in HestiaCP, tracked as CVE-2026-12196, allows a low-privileged user to take over administrator accounts by abusing the control panel's panel cron job feature. The flaw stems from broken authorization in cron job handling, where an undefined variable in an access-control check lets unauthorized users modify privileged jobs; the issue is compounded by missing CSRF token validation. Security reporting says the bug is remotely exploitable and carries a CVSS 4.0 score of 8.3.
- yesterdayCVE-2026-12196 entry published with high severity details
- yesterdayProject Black discloses HestiaCP admin takeover vulnerability


