Home / Vulnerability Intelligence / CVE-2026-29204

CVE-2026-29204 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 12, 2026

Client Area - Broken Access Control

Published: May 12, 2026Updated: May 12, 2026Remote Exploitable

Overview

Client area software contains a broken access control vulnerability caused by insufficient ownership checks in clientarea.php, letting authenticated users access other users' addon resources and cPanel accounts, exploit requires user authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Authenticated users can access and control other users' resources and cPanel accounts, leading to unauthorized data access and potential account compromise.

Mitigation

Update to the latest version with proper ownership validation checks.

References

https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204?token=_4RH-0s0febHsrNiC8GdPymsqg3_nSdT
https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29204
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: new

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N