cPanel before 82.0.15 Insufficient Session Expiration Vulnerability


When a cPanel user’s account was renamed or terminated, the API tokens belonging to the account were left installed on the system under the old name. Any new accounts created with the same name would allow access to the previous account’s API tokens.


The information has been provided by Vendor

The original article can be found at:


cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).

Vulnerable Systems:

cPanel before 82.0.15 

CVE Information:


Disclosure Timeline:
Published Date:10/09/2019