CVE-2026-2898 - Vulnerability Details

- funadmin Backend Endpoint AuthCloudService.php getMember deserialization

Description

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-22

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a remote deserialization vulnerability in the getMember function of AuthCloudService.php. By manipulating the cloud_account argument, an attacker can force the application to unserialize crafted data, which can lead to execution of arbitrary code with the permissions of the web server process. The CVE description explicitly states the exploit can originate from outside the host, indicating an exploitation path that targets the backend endpoint directly.

Affected Systems

The vulnerability affects the FunAdmin application, specifically all releases up to version 7.1.0‑rc4. The affected releases include rc1, rc2, rc3, and rc4 of the 7.1.0 branch. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 reflects moderate severity, while the EPSS score of less than 1% signifies a low probability of exploitation in the current threat landscape. The vulnerability is not listed in CISA’s KEV catalog. Based on the CVE description, the attack can be launched remotely by manipulating the cloud_account parameter sent to the backend endpoint, suggesting a web‑based attack vector that does not require privilege escalation or local access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

funadmin

affected

Version	Status	Constraints
`7.1.0-rc1`	affected	—
`7.1.0-rc2`	affected	—
`7.1.0-rc3`	affected	—
`7.1.0-rc4`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:funadmin:funadmin::::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc1::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc2::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc3::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc4::::::

No data.

Vendor Product Confidence Versions

Funadmin

100%

Version	Status	Scheme	Platform
`7.1.0-rc1`	affected	semver	—
`7.1.0-rc2`	affected	semver	—
`7.1.0-rc3`	affected	semver	—
`7.1.0-rc4`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an official patch or upgrade to a fixed FunAdmin release once available.
Restrict network traffic to the AuthCloudService.php endpoint to trusted hosts only, limiting exposure to remote attackers.
Reject or whitelist permissible object types during deserialization of the cloud_account parameter to eliminate unchecked object instantiation.

Generated by OpenCVE AI on April 17, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-gcxp-xg77-798j	funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/I4m6da/CVE/issues/5
https://github.com/I4m6da/CVE/issues/5#issue-3890444166
https://vuldb.com/?ctiid.347209
https://vuldb.com/?id.347209
https://vuldb.com/?submit.753976

History

Tue, 24 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:funadmin:funadmin:7.1.0:rc1:::::: cpe:2.3:a:funadmin:funadmin:7.1.0:rc2:::::: cpe:2.3:a:funadmin:funadmin:7.1.0:rc3:::::: cpe:2.3:a:funadmin:funadmin:7.1.0:rc4::::::

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 22 Feb 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		funadmin Backend Endpoint AuthCloudService.php getMember deserialization
First Time appeared		Funadmin Funadmin funadmin
Weaknesses		CWE-20 CWE-502
CPEs		cpe:2.3:a:funadmin:funadmin::::::::
Vendors & Products		Funadmin Funadmin funadmin
References		https://github.com/I4m6da/CVE/issues/5 https://github.com/I4m6da/CVE/issues/5#issue-3890444166 https://vuldb.com/?ctiid.347209 https://vuldb.com/?id.347209 https://vuldb.com/?submit.753976
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Funadmin Funadmin

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-22T00:02:10.909Z

Updated: 2026-02-23T19:17:18.513Z

Reserved: 2026-02-20T18:56:52.541Z

Link: CVE-2026-2898

Vulnrichment

Updated: 2026-02-23T19:17:01.434Z

NVD

Status : Analyzed

Published: 2026-02-22T01:16:00.350

Modified: 2026-02-24T16:27:39.407

Link: CVE-2026-2898

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object