Situation
A security vulnerability was discovered in Plesk's XML API protocol that allows cleartext FTP passwords to be exposed. This issue affects XML protocol versions below 1.4.2.0. This security vulnerability has been identified as CVE-2026-56843.
Affected product version
| Product | Affected versions | Patched version |
|---|---|---|
| Plesk | Below 18.0.79 | 18.0.79 |
Impact
Exposure of cleartext FTP credentials is possible, which may allow an attacker to upload malicious files and execute arbitrary code remotely (RCE).
Call to action
- If you are running Plesk Obsidian, update to the latest build by following How to update Plesk Obsidian to the latest build.
- If you are running an earlier Plesk version, upgrade to Plesk Obsidian by following How to upgrade Plesk to the next release.
Mitigation
Apply this mitigation only if you can't upgrade right now
Mitigate the vulnerability by disabling API access.
To disable API access, edit panel.ini as described in How to edit Plesk panel.ini and add the following section:
CONFIG_TEXT: [api]
enabled = off
Acknowledgements
We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.
Comments
Please sign in to leave a comment.