Missing JWT signature check enables Convoy SSO user impersonation

2 min readPublished 01 Apr 2026Source: GitHub Security Advisory (ConvoyPanel/panel)

CVE-2026-33746 News Identity Web Security PHP

TL;DR — Convoy’s JWT-based SSO accepted forged tokens because signature verification was missing, enabling remote attackers to authenticate as arbitrary users.

What happened

Convoy is a KVM server management panel used by hosting providers to manage virtualization infrastructure and customer access.

A Critical advisory (CVSS v3.1 9.8) reports that Convoy’s JWTService::decode() validated only time-based claims (exp, nbf, iat) and did not verify the cryptographic signature on JWTs. Although an HMAC-SHA256 signer was configured (via lcobucci/jwt), the advisory states the SignedWith constraint was not included in the validation step, so tampered JWT payloads were accepted as long as the timestamps were valid.

This directly impacts the SSO flow (LoginController::authorizeToken): an attacker can craft a token with an arbitrary user_uuid and authenticate as that user.

Why this matters: JWT validation mistakes are a high-blast-radius auth failure mode — a single missing signature check turns “SSO” into a remote impersonation primitive across every protected route that trusts the session.

Who is impacted

Convoy installations using JWT-based SSO authentication.
Affected version range in the advisory: >= v3.9.0-beta, < 4.5.1.

Component	Affected versions (per advisory)	Patched versions (per advisory)
`convoypanel/panel`	`>= v3.9.0-beta, < 4.5.1`	`>= 4.5.1`

What to do now

Follow vendor remediation guidance and apply the patched release.
- "Users should upgrade to v4.5.1 or later immediately."
Assume this is an account compromise risk for any exposed SSO entrypoint:
- Identify internet-reachable SSO endpoints and prioritize those deployments for patching.
- Review auth/SSO logs for anomalous token-based logins and suspicious cross-user access patterns (unexpected user switches, first-time logins for privileged accounts, unusual IP/user-agent).
If you suspect abuse, treat this like an auth boundary break:
- Rotate credentials/secrets accessible to the Convoy service (API keys, database credentials, infrastructure tokens), and invalidate active sessions where feasible.
Workaround guidance (vendor):
- "There are no workarounds. The signature verification was entirely absent from the decode path, so the only remediation is to upgrade to the patched version. Disabling the SSO login endpoint would mitigate exposure but is not practical for most deployments."

Additional Information

CVE record (CVE JSON 5.2): https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33746.json
Release tag referenced by the CVE record: https://github.com/ConvoyPanel/panel/releases/tag/v4.5.1

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.