Description
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
Published: 2026-06-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Webmin accepts basic authentication without session cookies when an attacker supplies the 'User-Agent: webmin' header, enabling bypass of required MFA steps. This flaw allows an attacker to gain authenticated access without satisfying the multi‑factor challenge, effectively compromising account security. The weakness is categorized as CWE‑308, indicating improper permission or privilege assignment.

Affected Systems

The vulnerability affects the Webmin Webmin product for all releases prior to version 2.641. No specific sub‑version ranges are listed beyond the indication that earlier releases can be exploited. The fix is included in release 2.641, which is the only version known to contain the mitigation.

Risk and Exploitability

The CVSS score of 6.9 classifies this issue as medium severity. No EPSS score is available, indicating that real‑world exploitation statistics are not reported, and it is not listed in CISA’s KEV catalog. The likely attack vector is remote request injection over HTTP or HTTPS, where an attacker can craft a request with the special User‑Agent header; the flaw does not require privileged local access or pre‑existing authentication, but it does rely on the Webmin server accepting the header and allowing basic authentication. Because the vulnerability facilitates unauthorized access rather than arbitrary code execution, the risk is primarily loss of confidentiality and integrity for compromised user accounts.

Generated by OpenCVE AI on June 18, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webmin to version 2.641 or later to apply the manual fix that prevents basic authentication without session cookies.
  • Configure Webmin to require session cookies for all authenticated sessions, disabling the fallback to basic authentication without a cookie.
  • After upgrade, audit user accounts for any unexpected changes or access logs that may indicate prior exploitation, and reset passwords as a precaution.

Generated by OpenCVE AI on June 18, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Webmin
Webmin webmin
Vendors & Products Webmin
Webmin webmin

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
Title Webmin MFA bypass
Weaknesses CWE-308
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-24T19:55:03.365Z

Reserved: 2026-06-18T14:15:41.670Z

Link: CVE-2026-56022

cve-icon Vulnrichment

Updated: 2026-06-24T19:54:59.634Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:14Z

Weaknesses
  • CWE-308

    Use of Single-factor Authentication