Description
An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An uncaught exception within the /application/job/update/{id} endpoint of FastapiAdmin 2.2.0 allows an authenticated attacker who holds the module_task:job:update permission to trigger a denial of service by manipulating the func field that specifies how scheduled tasks are executed. The vulnerability arises because the application fails to handle errors in this endpoint, causing the service to become unresponsive or crash. The impact is a loss of availability for the affected FastapiAdmin instance, potentially affecting all users and downstream services that rely on it.

Affected Systems

FastapiAdmin version 2.2.0 is affected. Applications that expose the /application/job/update/{id} endpoint and grant module_task:job:update authority to users are at risk. No other product versions were listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The attacker needs valid credentials and the module_task:job:update permission to invoke the endpoint, making the attack vector likely internal or authenticated external. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. Once exploited, the service may become unreachable, so the risk is significant for environments that depend on continuous availability.

Generated by OpenCVE AI on June 9, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastapiAdmin to a patched version once it is released.
  • Limit or revoke the module_task:job:update permission for users who do not require it to reduce the attack surface.
  • Disable or throttle the /application/job/update/{id} endpoint until a fix is applied.

Generated by OpenCVE AI on June 9, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin
Fastapiadmin fastapiadmin
Vendors & Products Fastapiadmin
Fastapiadmin fastapiadmin

Tue, 09 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title FastapiAdmin Job Update Denial of Service

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks.
References

Subscriptions

Fastapiadmin Fastapiadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:28:33.389Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36724

cve-icon Vulnrichment

Updated: 2026-06-09T19:28:28.574Z

cve-icon NVD

Status : Received

Published: 2026-06-09T19:17:42.873

Modified: 2026-06-09T21:17:10.733

Link: CVE-2026-36724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:12Z

Weaknesses