Skip to main content

FastapiAdmin CVE-2026-36724

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 21:40 vuln.today
CVSS changed
Jun 09, 2026 - 21:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks.

AnalysisAI

{id} endpoint. The root cause is an uncaught exception (CWE-400) that propagates unhandled through the job scheduling subsystem, making availability the sole impact with no confidentiality or integrity loss. A public vulnerability disclosure repository exists, lowering the bar for exploitation by any attacker who already holds the required permission.

Technical ContextAI

FastapiAdmin is an admin panel framework built on FastAPI, a Python web framework. The affected endpoint /application/job/update/{id} handles updates to scheduled task configurations, specifically the func field which designates the callable function for a scheduled job. When an attacker submits a malformed or unexpected value for func, the server raises an exception that is not caught or handled gracefully, causing the application process to fault or return an unrecoverable error state consistent with CWE-400 (Uncontrolled Resource Consumption / improper error handling leading to resource exhaustion or crash). The CPE data provided is non-specific (n/a), so affected product scope is derived from the description and version string v2.2.0 alone. This is a Python/FastAPI application-layer issue, not an OS or kernel-level vulnerability.

RemediationAI

No vendor-released patch has been identified at time of analysis - the only reference is a third-party disclosure repository with no corresponding vendor advisory or fixed release version. Operators should monitor the FastapiAdmin upstream repository for a patched release addressing this endpoint. As a compensating control, restrict the module_task:job:update permission to the smallest possible set of trusted administrator accounts, since exploitation requires this specific role; revoking it from non-essential users eliminates the attack vector entirely without application changes. Additionally, deploying a WAF or API gateway rule that rejects requests to /application/job/update/{id} from non-privileged network segments can reduce exposure. Input validation or allowlisting on the func field at the application or reverse-proxy layer would prevent malformed values from reaching the vulnerable handler. Note that restricting the permission may disrupt legitimate job scheduling workflows for affected users.

Share

CVE-2026-36724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy