Privacy issue: CloudPanel pings home on every ssh login #149

New Issue

MrUnknownDE · 2026-04-05T20:25:35+02:00

MrUnknownDE commented

2026-04-05 20:25:35 +02:00

Originally created by @user8547 on 12/20/2024

CloudPanel version(s) affected

2.5.0

Description

It seems that on every ssh login, a request is being sent to a host controlled by CloudPanel developers.

This is due to this code in /etc/update-motd.d/10-cloudpanel:

CLOUDPANEL_URL="https://$(curl -sk --connect-timeout 5 --retry 3 --retry-delay 0 https://d3qnd54q8gb3je.cloudfront.net/):8443"
CUSTOM_CLP_DOMAIN=$(/usr/bin/cat /etc/.clp_custom_domain 2>/dev/null)

if [ ! -z "$CUSTOM_CLP_DOMAIN" ]; then
  CLOUDPANEL_URL="https://$CUSTOM_CLP_DOMAIN/"
fi

Supposedly, the request is made to determine the IP address of the CloudPanel instance. However, the request is made even when a custom CLP domain is used, and hence there would be no need to determine the IP.

As a result, the developers of CloudPanel learn the IP address of the CloudPanel instance and can track every login to the server.

It would be helpful if the CloudPanel developers would clarify what other "pinging home" mechanisms the software is using, as this is not reflected in the privacy policy (which currently considers only CloudPanel instance run on cloudpanel.io).

Being transparent on what data the software collects from our machines would greatly help to improve the trustworthiness of the CloudPanel software. This is crucial as the great solution that CloudPanel developers have built becomes increasingly popular on the internet.

How to reproduce

See above.

Possible Solution

No response

Additional Context

No response

*Originally created by @user8547 on 12/20/2024* ### CloudPanel version(s) affected 2.5.0 ### Description It seems that on every ssh login, a request is being sent to a host controlled by CloudPanel developers. This is due to this code in `/etc/update-motd.d/10-cloudpanel`: ``` CLOUDPANEL_URL="https://$(curl -sk --connect-timeout 5 --retry 3 --retry-delay 0 https://d3qnd54q8gb3je.cloudfront.net/):8443" CUSTOM_CLP_DOMAIN=$(/usr/bin/cat /etc/.clp_custom_domain 2>/dev/null) if [ ! -z "$CUSTOM_CLP_DOMAIN" ]; then CLOUDPANEL_URL="https://$CUSTOM_CLP_DOMAIN/" fi ``` Supposedly, the request is made to determine the IP address of the CloudPanel instance. However, the request is made even when a custom CLP domain is used, and hence there would be no need to determine the IP. As a result, the developers of CloudPanel learn the IP address of the CloudPanel instance and can track every login to the server. It would be helpful if the CloudPanel developers would clarify what other "pinging home" mechanisms the software is using, as this is not reflected in the privacy policy (which currently considers only CloudPanel instance run on `cloudpanel.io`). Being transparent on what data the software collects from our machines would greatly help to improve the trustworthiness of the CloudPanel software. This is crucial as the great solution that CloudPanel developers have built becomes increasingly popular on the internet. ### How to reproduce See above. ### Possible Solution _No response_ ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:25:35 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/cloudpanel-ce#149