ringo380/claude-cpanel-mcp

critical

cPanel UAPI MCP server bundled as a Claude Code plugin — email, DNS, files, MySQL, SSL, cron, backups on shared cPanel hosting. cPHulk-safe.

This MCP server provides a curated set of tools for managing shared cPanel hosting environments via the cPanel UAPI, including email, DNS, files, MySQ...

purpose: This MCP server provides a curated set of tools fothreat: local with credentials

TypeScript★ 0◷ May 19, 2026⚙ May 20, 2026GITHUB

◆Vulnerability Analysis[ 12 findings in 12 blocks ]

◷ 5/20/2026

high1 finding

// Source file not analyzed: src/tools/generic.js

// Finding inferred from import chain: src/index.ts:97

src/index.ts:97

// Local-with-credentials: requires compromised LLM or malicious prompt to exploit.

The uapi_call tool is a generic escape hatch that allows calling any cPanel UAPI function. This bypasses the curated tool set and can perform operations not intended by the server's design, such as modifying system settings, accessing other users' data, or executing privileged actions.

ImpactAn attacker with access to the MCP (e.g., via prompt injection) could invoke arbitrary UAPI functions, potentially compromising the entire cPanel account or server.

FixRemove the uapi_call tool or restrict it to a whitelist of safe functions. Alternatively, require explicit user confirmation for each call.

high1 finding

// Source file not analyzed: src/tools/files-write.js

// Finding inferred from import chain: src/index.ts:101

src/index.ts:101

// Local-with-credentials: requires compromised LLM or malicious prompt to exploit.

The files_write_* tools allow writing arbitrary content to any file on the server that the cPanel user has access to. This can be used to overwrite configuration files, inject malicious code, or modify system binaries.

ImpactAn attacker could gain persistent access, escalate privileges, or disrupt services by writing malicious files.

FixRestrict file write operations to a specific directory (e.g., the user's home directory) and validate paths to prevent traversal.

medium1 finding

// Source file not analyzed: src/tools/generic.js

// Finding inferred from import chain: src/index.ts:18 → src/tools/generic.js

src/index.ts:18→src/tools/generic.js

// Local-only MCP, requires compromised LLM to exploit

The uapi_call tool provides unrestricted access to all ~80 cPanel UAPI modules and functions, far exceeding the curated set of tools. This allows an attacker with compromised LLM access to perform any operation the cPanel API token permits, including account suspension, password changes, and other administrative actions not covered by the documented tool set.

ImpactA compromised LLM could use uapi_call to execute arbitrary cPanel UAPI functions, potentially modifying account settings, creating or deleting resources, or accessing sensitive data beyond the intended scope of the MCP server.

FixRemove the uapi_call tool or restrict it to a whitelist of allowed modules/functions. Alternatively, require explicit user confirmation for any uapi_call invocation.

medium1 finding

// Source file not analyzed: src/tools/cron.js

// Finding inferred from import chain: src/index.ts:26 → src/tools/cron.js

src/index.ts:26→src/tools/cron.js

// Local-only MCP, requires compromised LLM to exploit

The cron_add tool accepts an arbitrary command string without validation. A compromised LLM could schedule execution of arbitrary commands on the server, leading to remote code execution.

ImpactAn attacker could execute arbitrary shell commands on the server at scheduled times, achieving persistent access or data exfiltration.

FixRestrict cron commands to a whitelist of allowed scripts or validate that the command does not contain dangerous characters. Consider using a predefined set of safe commands.

medium1 finding

// Source file not analyzed: src/tools/files.js

// Finding inferred from import chain: src/index.ts:21 → src/tools/files.js

src/index.ts:21→src/tools/files.js

// Local-only MCP, requires compromised LLM to exploit

The files_read_file tool accepts a path parameter without any validation or restriction. While the cPanel API may enforce some path constraints, the tool itself does not sanitize or restrict paths, potentially allowing path traversal or reading files outside the intended scope (e.g., /etc/passwd).

ImpactA compromised LLM could read arbitrary files on the server that the cPanel API token has access to, leading to information disclosure of sensitive files.

FixValidate that the path is within the user's home directory or a whitelist of allowed directories. Use path normalization and reject paths containing '..' or starting with '/'.

medium1 finding

// Source file not analyzed: src/tools/files-write.js

// Finding inferred from import chain: src/index.ts:22 → src/tools/files-write.js

src/index.ts:22→src/tools/files-write.js

// Local-only MCP, requires compromised LLM to exploit

The file write tool accepts an arbitrary path without validation, allowing a compromised LLM to write files to any location the cPanel API token permits, potentially overwriting critical system files or web content.

ImpactA compromised LLM could write malicious files (e.g., web shells) to arbitrary directories, leading to remote code execution or defacement.

FixRestrict file writes to a specific directory (e.g., the user's home directory or public_html). Validate and sanitize the path to prevent traversal.

medium1 finding

// Source file not analyzed: src/tools/dns.js

// Finding inferred from import chain: src/index.ts:20 → src/tools/dns.js

src/index.ts:20→src/tools/dns.js

// Local-only MCP, requires compromised LLM to exploit

DNS tools accept arbitrary zone names, record names, types, and data without validation. A compromised LLM could add, edit, or remove DNS records to redirect traffic, exfiltrate data, or perform phishing attacks.

ImpactAn attacker could modify DNS records to point domains to malicious servers, intercept email, or cause denial of service.

FixValidate that zone names are within the user's domains, restrict record types to a safe set, and sanitize data fields to prevent injection.

medium1 finding

// Source file not analyzed: src/tools/files.js

// Finding inferred from import chain: src/index.ts:100

src/index.ts:100

// Local-with-credentials: requires compromised LLM or malicious prompt to exploit.

File tools (list, read, delete) may accept user-supplied paths without proper validation, allowing path traversal attacks (e.g., ../../../etc/passwd).

ImpactAn attacker could read or delete arbitrary files outside the intended scope, leading to information disclosure or data loss.

FixValidate and sanitize all file paths, restrict to a base directory, and reject paths containing '..' or absolute paths.

medium1 finding

// Source file not analyzed: src/tools/cron.js

// Finding inferred from import chain: src/index.ts:105

src/index.ts:105

// Local-with-credentials: requires compromised LLM or malicious prompt to exploit.

Cron job tools may accept user-supplied command strings that are passed directly to the cPanel API. If the API does not sanitize the command, an attacker could inject arbitrary shell commands.

ImpactAn attacker could execute arbitrary commands on the server with the privileges of the cPanel user.

FixSanitize or validate the command parameter to ensure it contains only safe characters and does not allow shell metacharacters.

medium1 finding

// Source file not analyzed: src/tools/ssl.js

// Finding inferred from import chain: src/index.ts:25 → src/tools/ssl.js

src/index.ts:25→src/tools/ssl.js

// Local-only MCP, requires compromised LLM to exploit

The SSL install tool accepts arbitrary certificate and key content without validation. A compromised LLM could install a malicious certificate, enabling man-in-the-middle attacks or impersonation of the domain.

ImpactAn attacker could install a self-signed or rogue certificate, intercepting or redirecting encrypted traffic for the domain.

FixValidate that the certificate and key are properly formatted and match the domain. Consider requiring user confirmation before installing SSL certificates.

low1 finding

// Source file not analyzed: src/config.js

// Finding inferred from import chain: src/index.ts:15 → src/config.js

src/index.ts:15→src/config.js

// Local-only MCP, requires compromised LLM to exploit; also exploitable by any local user with file read access

The configuration file stores cPanel API tokens in plaintext. While this is common for local tools, it means any process with access to the user's home directory can read the credentials.

ImpactAn attacker with local access could read the API token and gain full access to the cPanel account.

FixUse a secure credential store (e.g., OS keychain, encrypted file) or at minimum set restrictive file permissions (0600).

low1 finding

src/index.ts

56function buildInstructions(): string {
57  const base =
58    'cpanel-mcp wraps the cPanel UAPI ...';
59  if (initialConfig.ok) {
60    return (
61      base +
62      ` Configured at startup: profile="${initialConfig.profile}", ` +
63      `user="${initialConfig.config!.user}", host="${initialConfig.config!.host}:${initialConfig.config!.port}". ` +
64      ...
65    );
66  }
67  ...
68}

// Local-with-credentials: requires compromised LLM to leak info.

The buildInstructions function includes the configured host, port, and username in the instructions string, which is sent to the LLM. If the LLM is compromised or subject to prompt injection, this information could be leaked.

ImpactAn attacker could learn the cPanel host and username, aiding in further attacks.

FixRemove sensitive details from instructions or mask them (e.g., show only partial hostname).

◆Heuristic Signals

network.httpshell.execfilesystem.readenv.exposurefilesystem.write

◆Risk Score

100

LLM-based

low findings+10

high findings+50

medium findings+120