Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Basic auth credentials required so PR:L not PR:N; Webmin grants full host OS control so C/I/A all high.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
AnalysisAI
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete preconditions: first, the attacker must possess valid Webmin credentials (username and password) for an account on the target instance - the vulnerability bypasses MFA only, not the initial credential check; second, MFA must be enabled on the Webmin instance, as the bypass specifically circumvents the second-factor enforcement path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official NVD CVSS score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) substantially understates real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained valid Webmin credentials through phishing, credential stuffing, or a prior breach attempts login but is stopped by the MFA prompt. The attacker replaces their browser's User-Agent with 'webmin' - trivially done via any HTTP client such as curl - and resubmits the basic auth request, which Webmin accepts without invoking the MFA challenge, granting full administrative access to the server. … |
| Remediation | Upgrade to Webmin 2.641 or later, which is the vendor-released patch per the GitHub release at https://github.com/webmin/webmin/releases/tag/2.641 and the security advisory at https://webmin.com/security/#webmin-prior-to-2641. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attack
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file re
Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary Jav
Same weakness CWE-308 – Use of Single-factor Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37907
GHSA-9848-6qgw-2748