Description
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
Published: 2026-06-18
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Webmin HTTP server (miniserv.pl) contains an authentication bypass that allows an attacker to forge HTTP headers and impersonate any user whose account is linked to an SSL client certificate. By spoofing certificate subject names (DNs) in the header, an unauthenticated attacker can obtain session tokens that are normally restricted to legitimate certificate holders, effectively gaining the privileges of that user. The weakness is a classic example of improper authentication enforcement (CWE‑290).

Affected Systems

All installations of Webmin prior to release 2.641 are vulnerable. The flaw applies to any version of the Webmin suite that supports SSL client certificate authentication, regardless of the operating system or environment. The affected component is the miniserv.pl HTTP server handling SSL client certificates.

Risk and Exploitability

With a CVSS score of 9.2 the vulnerability is considered critical. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. An attacker needs only to send a crafted HTTP request over the network to the Webmin server; no local access or privileged credentials are required. The attack path is purely remote, making the potential impact immediate and widespread if the Webmin instance is exposed to the internet or a compromised internal network.

Generated by OpenCVE AI on June 18, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webmin to version 2.641 or newer where the issue is fixed
  • If an upgrade is not immediately possible, disable SSL client certificate authentication or restrict access to the Webmin interface behind a trusted network segment
  • Revoke any client certificates that may have been exposed and monitor login logs for suspicious authentication events

Generated by OpenCVE AI on June 18, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Webmin
Webmin webmin
Vendors & Products Webmin
Webmin webmin

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
Title Webmin HTTP header authentication bypass
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-22T12:33:00.797Z

Reserved: 2026-06-18T14:15:27.103Z

Link: CVE-2026-56020

cve-icon Vulnrichment

Updated: 2026-06-22T12:32:58.096Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing