Description
Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
Published: 2026-06-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Webmin allows an unauthenticated attacker to read the contents of any file ending in .conf within module directories. The flaw is caused by a bypassable regular‑expression pattern that incorrectly validates filenames, enabling disclosure of configuration information. The weakness falls under CWE‑185 and CWE‑777, which are related to privileged information exposure and potential misuse of system resources.

Affected Systems

This vulnerability affects the Webmin web‑based system administration tool, specifically versions released before 2.64.1. Users running any older Webmin build are at risk if their module directories contain .conf files that should remain confidential.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Because authentication is not required, an attacker can achieve the exploit simply by sending a request to the Webmin interface from an external network. The attack requires network reachability to the Webmin management port and the ability to construct a request that matches the vulnerable regex. Once exploited, the attacker gains read access to sensitive configuration files, potentially exposing passwords, socket settings, or other secrets.

Generated by OpenCVE AI on June 18, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webmin to version 2.64.1 or later, which removes the vulnerable regex logic.
  • Configure the Webmin firewall or network access controls to restrict the Webmin management port to trusted IP addresses, limiting exposure to external attackers.
  • Remove or limit access to module directories that contain .conf files, or adjust file permissions to prevent unintended read access by the Webmin process.

Generated by OpenCVE AI on June 18, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Webmin
Webmin webmin
Vendors & Products Webmin
Webmin webmin

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
Title Webmin information disclosure via regex pattern
Weaknesses CWE-185
CWE-777
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-24T19:54:23.848Z

Reserved: 2026-06-18T14:15:35.109Z

Link: CVE-2026-56021

cve-icon Vulnrichment

Updated: 2026-06-24T19:54:21.241Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-185

    Incorrect Regular Expression

  • CWE-777

    Regular Expression without Anchors