Description
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-02-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Unrestricted File Upload
Action: Patch Now
AI Analysis

Impact

A flaw in FastApiAdmin up to version 2.2.0 allows an attacker to upload arbitrary files through the user_avatar_upload_controller in the Scheduled Task API module without authentication or file type validation. The vulnerability is a classic unrestricted file upload, mapping to CWE‑434, and combined with improper access control (CWE‑284), it can lead to the execution of uploaded code or other malicious payloads. According to the CVE description, the flaw can be exploited remotely, and an off‑the‑shelf exploit has been published and may be used.

Affected Systems

This vulnerability affects the FastApiAdmin application released by FastApiAdmin. All instances running any version up to and including 2.2.0 are impacted; no other versions are known to be affected.

Risk and Exploitability

The CVSS score is 5.3, reflecting a medium severity with potential for moderate impact. The EPSS score is below 1%, indicating a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can remotely target the exposed API endpoint, upload a malicious file, and then trigger its execution through the application or by accessing the file via a publicly accessible URL. Proper mitigations, however, can effectively eliminate the risk.

Generated by OpenCVE AI on April 18, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FastApiAdmin to a version newer than 2.2.0 that contains the official fix.
  • If an update is not immediately possible, restrict uploads to a whitelist of safe media types such as image/jpeg and image/png, and reject any executable or script files.
  • Enforce strict authentication and authorization on the user_avatar_upload_controller endpoint, ensuring only privileged users can perform uploads. Apply additional server‑side validation to verify MIME types and file signatures before storage.

Generated by OpenCVE AI on April 18, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:*:*:*:*:*:*:*		 cpe:2.3:a:fastapiadmin:fastapiadmin:*:*:*:*:*:*:*:*
Vendors & Products Fastapiadmin fastapi-admin

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin fastapi-admin
CPEs cpe:2.3:a:fastapiadmin:fastapi-admin:2.0:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.1:*:*:*:*:*:*:*
cpe:2.3:a:fastapiadmin:fastapi-admin:2.2.0:*:*:*:*:*:*:*
Vendors & Products Fastapiadmin fastapi-admin

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin
Fastapiadmin fastapiadmin
Vendors & Products Fastapiadmin
Fastapiadmin fastapiadmin

Mon, 23 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
Title FastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Fastapiadmin Fastapiadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:07:05.795Z

Reserved: 2026-02-22T15:09:13.479Z

Link: CVE-2026-2979

cve-icon Vulnrichment

Updated: 2026-02-23T13:06:58.636Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T09:17:01.427

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses