CVE-2026-2975 - Vulnerability Details

- FastApiAdmin Custom Documentation Endpoint init_app.py reset_api_docs information disclosure

Description

A security flaw has been discovered in FastApiAdmin up to 2.2.0. Affected by this vulnerability is the function reset_api_docs of the file /backend/app/plugin/init_app.py of the component Custom Documentation Endpoint. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Published: 2026-02-23

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in FastApiAdmin's reset_api_docs endpoint defined in init_app.py. Remotely callable actions can trigger the function, and the manipulation can result in information disclosure. Based on the description, it is inferred that the exposed data may include internal documentation or configuration details. The vulnerability is associated with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control).

Affected Systems

FastApiAdmin component up to and including version 2.2.0 is vulnerable. Any deployment exposing the reset_api_docs endpoint to external users, regardless of hosting environment, is affected.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. Nevertheless, a public exploit script is available, and the attack vector is remote via the exposed endpoint. The issue is not listed in the CISA KEV catalog, but the potential leakage of confidential data warrants prompt attention. The primary impact is a loss of confidentiality, with no known immediate escalation to higher privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

FastApiAdmin

affected

Version	Status	Constraints
`2.0`	affected	—
`2.1`	affected	—
`2.2.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:fastapiadmin:fastapiadmin:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Fastapiadmin

100%

Version	Status	Scheme	Platform
`2.0`	affected	generic	—
`2.1`	affected	generic	—
`2.2.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FastApiAdmin to a version newer than 2.2.0 where the reset_api_docs function is removed or secured.
Restrict access to the reset_api_docs endpoint to trusted internal networks using network segmentation or firewall rules.
If an upgrade cannot be performed immediately, disable or remove the reset_api_docs endpoint from the application logic.

Generated by OpenCVE AI on April 18, 2026 at 11:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-1
https://vuldb.com/?ctiid.347359
https://vuldb.com/?id.347359
https://vuldb.com/?submit.756067

History

Thu, 05 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:::::::* cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:::::::* cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:::::::*	cpe:2.3:a:fastapiadmin:fastapiadmin::::::::
Vendors & Products	Fastapiadmin fastapi-admin

Tue, 24 Feb 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fastapiadmin fastapi-admin
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:::::::* cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:::::::* cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:::::::*
Vendors & Products		Fastapiadmin fastapi-admin

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fastapiadmin Fastapiadmin fastapiadmin
Vendors & Products		Fastapiadmin Fastapiadmin fastapiadmin

Mon, 23 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in FastApiAdmin up to 2.2.0. Affected by this vulnerability is the function reset_api_docs of the file /backend/app/plugin/init_app.py of the component Custom Documentation Endpoint. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Title		FastApiAdmin Custom Documentation Endpoint init_app.py reset_api_docs information disclosure
Weaknesses		CWE-200 CWE-284
References		https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-1 https://vuldb.com/?ctiid.347359 https://vuldb.com/?id.347359 https://vuldb.com/?submit.756067
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Fastapiadmin Fastapiadmin

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-23T06:02:07.772Z

Updated: 2026-02-23T13:23:00.814Z

Reserved: 2026-02-22T15:09:00.869Z

Link: CVE-2026-2975

Vulnrichment

Updated: 2026-02-23T13:22:56.556Z

NVD

Status : Analyzed

Published: 2026-02-23T07:16:21.243

Modified: 2026-03-05T13:00:58.003

Link: CVE-2026-2975

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object