Description
A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization
Action: Apply Patch
AI Analysis

Impact

The vulnerability is located in the setConfig function of the Ajax.php controller in funadmin up to version 7.1.0-rc4. Authorization checks are bypassed, allowing an attacker to modify configuration settings without proper privileges. This can compromise the integrity of system configuration and potentially create pathways for further attacks.

Affected Systems

The affected vendor is funadmin. Users running any release up to funadmin 7.1.0-rc4, including the release candidates rc1 through rc4, are vulnerable. Versions beyond rc4 are not affected.

Risk and Exploitability

The CVSS base score is 6.9, indicating a moderate severity. The Exploit Prediction Scoring System rate is less than 1%, implying that, at present, the likelihood of exploitation is low. However, the vulnerability is exploitable remotely, the exploit code has been publicly released, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog. Attackers with network access to the target can manipulate the setConfig endpoint to authorize configuration changes without proper authentication.

Generated by OpenCVE AI on April 17, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a funadmin version newer than 7.1.0-rc4 that addresses the authorization flaw. If the vendor has released a patch, apply it immediately.
  • If an immediate upgrade is not feasible, restrict external access to the setConfig endpoint by configuring the web server or firewall to allow only authenticated or trusted IPs, effectively blocking unauthenticated remote calls.
  • Review and modify the application code or configuration to enforce role‑based access control for configuration changes, ensuring that only users with proper administrative rights can invoke setConfig. Optionally, implement logging and alerting for configuration modifications.

Generated by OpenCVE AI on April 17, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5m2g-4cf6-c3rg funadmin has Incorrect Privilege Assignment in its Configuration Handler
History

Tue, 24 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:funadmin:funadmin:7.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:funadmin:funadmin:7.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:funadmin:funadmin:7.1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:funadmin:funadmin:7.1.0:rc4:*:*:*:*:*:*

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title funadmin Configuration Ajax.php setConfig improper authorization
First Time appeared Funadmin
Funadmin funadmin
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:funadmin:funadmin:*:*:*:*:*:*:*:*
Vendors & Products Funadmin
Funadmin funadmin
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Funadmin Funadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:24:12.021Z

Reserved: 2026-02-20T18:56:46.376Z

Link: CVE-2026-2896

cve-icon Vulnrichment

Updated: 2026-02-23T19:24:05.022Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-22T00:15:59.450

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses