FastapiAdmin CVE-2026-36724
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks.
AnalysisAI
{id} endpoint. The root cause is an uncaught exception (CWE-400) that propagates unhandled through the job scheduling subsystem, making availability the sole impact with no confidentiality or integrity loss. A public vulnerability disclosure repository exists, lowering the bar for exploitation by any attacker who already holds the required permission.
Technical ContextAI
FastapiAdmin is an admin panel framework built on FastAPI, a Python web framework. The affected endpoint /application/job/update/{id} handles updates to scheduled task configurations, specifically the func field which designates the callable function for a scheduled job. When an attacker submits a malformed or unexpected value for func, the server raises an exception that is not caught or handled gracefully, causing the application process to fault or return an unrecoverable error state consistent with CWE-400 (Uncontrolled Resource Consumption / improper error handling leading to resource exhaustion or crash). The CPE data provided is non-specific (n/a), so affected product scope is derived from the description and version string v2.2.0 alone. This is a Python/FastAPI application-layer issue, not an OS or kernel-level vulnerability.
RemediationAI
No vendor-released patch has been identified at time of analysis - the only reference is a third-party disclosure repository with no corresponding vendor advisory or fixed release version. Operators should monitor the FastapiAdmin upstream repository for a patched release addressing this endpoint. As a compensating control, restrict the module_task:job:update permission to the smallest possible set of trusted administrator accounts, since exploitation requires this specific role; revoking it from non-essential users eliminates the attack vector entirely without application changes. Additionally, deploying a WAF or API gateway rule that rejects requests to /application/job/update/{id} from non-privileged network segments can reduce exposure. Input validation or allowlisting on the func field at the application or reverse-proxy layer would prevent malformed values from reaching the vulnerable handler. Note that restricting the permission may disrupt legitimate job scheduling workflows for affected users.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today