## Critical Xray Security Flaw: Private Key Stored in Plaintext, Exposing VPN Servers to Impersonation A critical vulnerability in the Xray VPN server software exposes its private cryptographic key in plaintext, creating a direct path for attackers to impersonate legitimate servers and potentially decrypt user traffic. The flaw centers on the mishandling of the XTLS-Reality private key, which is improperly saved to a server configuration file and then transmitted to and stored within the administrative panel's database. This means any actor with access to the admin panel—whether through compromised credentials or an insider threat—can directly read the private key from the database or API responses. The vulnerability chain is straightforward and severe. First, the panel generates and saves the Reality private key directly into its database. It then writes the same key to the server's `meta.json` file. This dual storage creates multiple points of failure. An attacker who gains admin panel access can retrieve the key, granting them the ability to impersonate the legitimate VPN server, set up a rogue server, and, with sufficient captured data, potentially decrypt user traffic. The impact extends to identity theft for the server, unauthorized access, and potential regulatory violations for operators. This flaw represents a fundamental failure in cryptographic key management, where a secret meant to remain solely on the server is unnecessarily transmitted and stored in a central, often web-accessible, database. It places all servers managed through the vulnerable panel at immediate risk, undermining the core security promise of the VPN protocol. The issue is classified as a P1 (Critical) priority, highlighting the urgent need for a patch to remove the key from the database and restrict it to secure, local server storage only. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: security, vulnerability, vpn, cryptography, data breach - **Credibility**: unverified - **Published**: 2026-04-14 13:22:48 - **ID**: 63812 - **URL**: https://whisperx.ai/en/intel/63812