Description
A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-02-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in FastApiAdmin's upload_controller function within the Scheduled Task API component. The code accepts file uploads without authenticating the caller or validating the file type, exposing the application to arbitrary file uploads. This flaw aligns with missing access control (CWE‑284) and unchecked file handling (CWE‑434). Based on the description, it is inferred that an attacker can consequently place malicious binaries or scripts on the server, potentially allowing further exploitation if the application later serves or executes those files.

Affected Systems

All installations of FastApiAdmin version 2.2.0 or earlier that include the backend/app/api/v1/module_common/file/controller.py module of the Scheduled Task API are affected. Users running these versions should review whether the upload_controller endpoint remains exposed in their environment.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium risk, while an EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is publicly disclosed and can be triggered remotely through the upload endpoint, as stated in the description. Although the flaw is not listed in CISA's KEV catalog, the possibility of bulk uploads of arbitrary files poses a significant integrity threat if the application serves or processes those files.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastApiAdmin to a version newer than 2.2.0 when a patch that removes the uncontrolled upload functionality is released.
  • If upgrading is not immediately possible, disable the upload_controller endpoint in production or restrict access to privileged administrators only.
  • Implement server‑side validation that accepts only a whitelist of file types, enforces strict size limits, and stores uploads outside the web‑accessible directory to prevent accidental execution.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:*:*:*:*:*:*:*		 cpe:2.3:a:fastapiadmin:fastapiadmin:*:*:*:*:*:*:*:*
Vendors & Products Fastapiadmin fastapi-admin

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin fastapi-admin
CPEs cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:*:*:*:*:*:*:*
Vendors & Products Fastapiadmin fastapi-admin

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin
Fastapiadmin fastapiadmin
Vendors & Products Fastapiadmin
Fastapiadmin fastapiadmin

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Title FastApiAdmin Scheduled Task API controller.py upload_controller unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Fastapiadmin Fastapiadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:18:42.686Z

Reserved: 2026-02-22T15:09:07.919Z

Link: CVE-2026-2977

cve-icon Vulnrichment

Updated: 2026-02-23T13:18:36.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T08:16:13.757

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses