### Summary A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). ### Details The /api/login endpoint accepts a boolean field named ignoreCaptcha directly from the client request body: `"ignoreCaptcha": true` The backend implementation uses this value to determine w…
GHSA-qmg5-v42x-qqhq: 1Panel – CAPTCHA Bypass via Client-Controlled Flag
1Panel authentication API has a CAPTCHA bypass vulnerability (GHSA-qmg5-v42x-qqhq) allowing unauthenticated attackers to disable CAPTCHA verification via a client-controlled parameter.