CVE-2026-1194
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-02-05

Assigner: VulDB

Description
A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1194
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mineadmin mineadmin 1.0
mineadmin mineadmin 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1194 is an information disclosure vulnerability in MineAdmin versions 1.x and 2.x, specifically in the Swagger component. Due to improper permission validation in the default deployment configuration, an attacker can remotely access sensitive Swagger API documentation by sending a GET request to the endpoint `/swagger/http.json`. This exposes internal API details and system information without requiring authentication, potentially aiding attackers in gathering information about the system. [1, 2, 3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive internal API information, which may allow attackers to gather detailed information about the backend system. Such information leakage can facilitate further attacks by revealing system structure, endpoints, and potentially sensitive data. Since the vulnerability is remotely exploitable without authentication and a public exploit exists, it poses a moderate security risk. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by checking if the Swagger API documentation endpoint is accessible without authentication. Specifically, sending a GET request to the endpoint `/swagger/http.json` on the MineAdmin server can reveal if sensitive information is exposed. For example, you can use the following command to test this: `curl -v http://<target-ip-or-domain>/swagger/http.json`. If the response contains Swagger API documentation data without requiring authentication, the system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include strengthening permission validation controls on the Swagger interface to prevent unauthorized access. Since the vulnerability arises from the default deployment configuration exposing Swagger documentation without authentication, restricting access to the Swagger endpoint (e.g., via authentication, IP whitelisting, or disabling Swagger in production) is recommended. If no patch or fix is available from the vendor, consider replacing the affected product with an alternative or disabling the Swagger interface until a secure configuration is ensured. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart