CVE-2023-26957 – Onekeyadmin v1.3.9 contains an arbitrary file d... (How to Fix)

Q: What is the severity of CVE-2023-26957?

CVE-2023-26957 has a CVSS score of 9.1 (CRITICAL). Onekeyadmin v1.3.9 contains an arbitrary file deletion vulnerability in the plugins controller component. This allows authenticated attackers to delete any file on the server, potentially causing denial of service or system compromise. Users running onekeyadmin v1.3.9 are affected.

📋 TL;DR

Onekeyadmin v1.3.9 contains an arbitrary file deletion vulnerability in the plugins controller component. This allows authenticated attackers to delete any file on the server, potentially causing denial of service or system compromise. Users running onekeyadmin v1.3.9 are affected.

💻 Affected Systems

Products:

onekeyadmin

Versions: v1.3.9

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the admin interface. The vulnerability is in the default installation.

📦 What is this software?

Onekeyadmin by Onekeyadmin

View all CVEs affecting Onekeyadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to permanent data loss and service disruption.

🟠

Likely Case

Application or system downtime through deletion of configuration files, web content, or database files.

🟢

If Mitigated

Limited impact if proper file permissions and access controls prevent deletion of critical files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/keheying/onekeyadmin/issues/3

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit access to the admin interface to trusted IP addresses only.

# Configure web server to restrict /admin path to specific IPs
# Example for Apache: Require ip 192.168.1.0/24
# Example for Nginx: allow 192.168.1.0/24; deny all;

File Permission Hardening

linux

Set restrictive permissions on critical system directories to prevent deletion.

chmod 755 /var/www
chmod 644 /var/www/html/*.php
chown root:root /etc
chmod 755 /etc

🧯 If You Can't Patch

Implement network segmentation to isolate the vulnerable system
Monitor file deletion events and admin access logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if running onekeyadmin v1.3.9 by examining version files or package metadata.

Check Version:

grep -r 'version' /path/to/onekeyadmin/ | grep '1.3.9'

Verify Fix Applied:

Verify that the /admin/controller/plugins.php file has been modified or removed, or that access controls are in place.

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events in system logs
Multiple failed or successful admin login attempts
Access to /admin/controller/plugins.php with DELETE or POST parameters

Network Indicators:

HTTP requests to /admin/controller/plugins with file deletion parameters
Unusual outbound traffic following admin access

SIEM Query:

source="web_server" AND (uri="/admin/controller/plugins" OR uri="/admin/controller/plugins.php") AND (method="POST" OR method="DELETE")

📊 Metadata

CVE ID: CVE-2023-26957

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-862

Published: March 9, 2023

Last Updated: March 5, 2025

🔗 References

https://github.com/keheying/onekeyadmin/issues/3 Exploit,Issue Tracking
https://github.com/keheying/onekeyadmin/issues/3 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26957, you might also want to check these: