Critical JWT Bypass in Convoy Panel Allows Full Account Takeover

A critical security vulnerability has been unmasked in Convoy, the modern KVM server management panel used by businesses to manage virtualized infrastructure. The flaw, tracked as CVE-2026-33746, carries a CVSS score of 9.8, effectively providing a key to any account on an affected system.

The vulnerability lies within the core of Convoy’s Single Sign-On (SSO) authentication flow. Specifically, the JWTService::decode() method—the function responsible for reading and validating security tokens—was found to be missing a fundamental security check.

While the system was configured to use a secure signer (HMAC-SHA256), it only checked if a token was “on time” (validating expiration and issuance dates). It completely forgot to check if the token was actually signed by the server.

As the security advisory details, “The SignedWith constraint was not included in the validation step. This means an attacker could forge or tamper with JWT token payloads… and the token would be accepted as valid, as long as the time-based claims were satisfied”.

By crafting a token and inserting any user_uuid they desired, an attacker could trick the LoginController::authorizeToken endpoint into logging them in as any user, including a full system administrator.

This gives the attacker total control over the KVM management panel, allowing them to:

• Access and modify virtual machines and customer data.
• Disrupt services for hosting clients.
• Pivot deeper into the underlying Proxmox or KVM infrastructure.

Because the signature verification was entirely absent from the code’s execution path, there are no configuration changes that can close this hole.

The advisory warns, “There are no workarounds… the only remediation is to upgrade to the patched version”.

While disabling the SSO login endpoint would mitigate the risk, researchers acknowledge this is “not practical for most deployments” that rely on the feature for daily operations.

The vulnerability affects all Convoy installations prior to v4.5.1 that utilize JWT-based SSO.

The development team has released an immediate patch in version 4.5.1, which properly integrates the SignedWith constraint into the validation logic. This ensures that any token with a missing or invalid signature is rejected immediately. Hosting businesses and infrastructure providers are urged to upgrade to v4.5.1 or later immediately to prevent unauthorized access to their management consoles.