Skip to main content

Webmin CVE-2026-56020

| EUVDEUVD-2026-37909 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-06-18 cisa-cg GHSA-23xj-gfh3-wf2h
9.2
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
9.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable miniserv.pl with no auth or user interaction (AV:N/PR:N/UI:N); AC:H because target must be configured for SSL client-cert auth, a non-default precondition; full admin compromise yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jun 18, 2026 - 19:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 19:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 19:38 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 19:38 NVD
HIGH CRITICAL
CVSS changed
Jun 18, 2026 - 19:38 NVD
8.1 (HIGH) 9.2 (CRITICAL)
Patch available
Jun 18, 2026 - 19:01 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 17:02 vuln.today
Analysis Generated
Jun 18, 2026 - 17:02 vuln.today

DescriptionCVE.org

The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.

AnalysisAI

Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed Webmin with client-cert auth
Delivery
Craft HTTPS request with forged certificate-DN header
Exploit
Send to miniserv.pl impersonating admin user
Execution
miniserv.pl trusts header, issues admin session
Impact
Execute commands via Webmin shell module as root

Vulnerability AssessmentAI

Exploitation Target must be running Webmin prior to 2.641 with SSL client-certificate authentication enabled in miniserv.pl - this is a non-default authentication mode that an administrator must explicitly configure, and it is the AT:P (Attack Requirements: Present) factor in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals largely agree that this is a high-priority issue: CVSS 4.0 9.2 with AV:N/AC:L/PR:N/UI:N reflects a network-reachable, unauthenticated, low-complexity bypass against the admin plane of a privileged management product, with full confidentiality, integrity, and availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Webmin instance is reachable on the internet (port 10000/tcp) and configured to accept SSL client-certificate authentication for administrative SSO. An attacker connects over HTTPS and injects an HTTP header carrying a forged Distinguished Name matching the root or an existing admin user (e.g., 'CN=root,OU=Admins'); miniserv.pl trusts the header value rather than the TLS-validated peer certificate and grants a session as that user, yielding full Webmin admin control and, by extension, root-equivalent command execution on the underlying host. …
Remediation Vendor-released patch: upgrade to Webmin 2.641 or later, available at https://github.com/webmin/webmin/releases/tag/2.641 with vendor notes at https://webmin.com/security/#webmin-prior-to-2641. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Webmin versions prior to 2.641 and restrict network access to the Webmin interface where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy