CVE-2026-56022

Summary

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

Affected Software

VendorProductVersion RangeStatus
WebminWebmin0 < 2.641affected
WebminWebmin2.641unaffected

Weaknesses

  • CWE-308: CWE-308 Use of Single-factor Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References