Convoy Panel versions 3.9.0-beta through 4.5.0 fail to verify JWT signatures, allowing attackers to impersonate any user and gain full administrative access.

The JWTService::decode() method fails to include the SignedWith constraint during validation. While it checks time-based claims, it does not verify the cryptographic signature. An unauthenticated attacker can forge a JWT with an arbitrary user_uuid to bypass the SSO flow and authenticate as any user.

This flaw allows for a complete bypass of authentication. An attacker can gain administrative control over the KVM management panel, allowing them to manage, delete, or access any virtual machine on the system. With a CVSS score of 9.8, this represents a catastrophic risk to hosting businesses and their clients' data.

Immediate Action: Upgrade Convoy to version 4.5.1 immediately to enable proper JWT signature verification.

Proactive Monitoring: Review authentication logs for unusual logins or logins from unexpected IP addresses, specifically looking for administrative access patterns.

Compensating Controls: Implement IP whitelisting for the management panel and consider adding a secondary layer of authentication (e.g., hardware-based MFA) that does not rely solely on JWTs.

Public Exploit Available: No

This is an emergency-level vulnerability for any organization using Convoy. The ability for an unauthenticated attacker to forge an identity and gain access to a server management panel is a "game-over" scenario. The patch to version 4.5.1 must be applied immediately.