Description
A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used.
Published: 2026-02-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Unrestricted File Upload
Action: Patch
AI Analysis

Impact

The FastApiAdmin backend contains a flaw in the upload_file_controller function of its Scheduled Task API. A remote attacker who can reach the upload endpoint can submit any file, bypassing both file‑type validation and authorization checks. Because the stored files are written directly to the server’s filesystem, the upload allows the attacker to place arbitrary files on the system, presenting opportunities for further exploitation. This unrestricted upload capability could be leveraged in various attack scenarios, though the CVE description does not confirm that uploaded files can be executed.

Affected Systems

FastApiAdmin versions up to and including 2.2.0 are affected. The vulnerability resides in the file located at backend/app/api/v1/module_system/params/controller.py and is present in all releases prior to 2.2.1. Any deployment of FastApiAdmin that has not been upgraded beyond 2.2.0 remains vulnerable.

Risk and Exploitability

The CVSS score of 5.3 categorizes the weakness as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog, but publicly available exploit code exists, suggesting that attackers who target exposed instances could deploy the vulnerability. The likely attack vector is a remote HTTP POST request to the upload endpoint, requiring no local privileges and enabling attackers to inject files into the system.

Generated by OpenCVE AI on April 18, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastApiAdmin to version 2.2.1 or later, where the unrestricted upload flaw has been removed.
  • If an upgrade cannot be performed immediately, modify the upload controller to enforce strict file‑type validation and reject any files that are not explicitly allowed.
  • Add or reinforce access‑control checks so that only authenticated users with the appropriate management role can invoke the upload endpoint.

Generated by OpenCVE AI on April 18, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:*:*:*:*:*:*:*		 cpe:2.3:a:fastapiadmin:fastapiadmin:*:*:*:*:*:*:*:*
Vendors & Products Fastapiadmin fastapi-admin

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin fastapi-admin
CPEs cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:*:*:*:*:*:*:*
Vendors & Products Fastapiadmin fastapi-admin

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin
Fastapiadmin fastapiadmin
Vendors & Products Fastapiadmin
Fastapiadmin fastapiadmin

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used.
Title FastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Fastapiadmin Fastapiadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:15:32.013Z

Reserved: 2026-02-22T15:09:10.914Z

Link: CVE-2026-2978

cve-icon Vulnrichment

Updated: 2026-02-23T13:15:25.296Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T08:16:13.983

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses