CVE-2026-2898
Received Received - Intake
Deserialization Vulnerability in funadmin Backend Enables Remote Exploit

Publication date: 2026-02-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2898
EUVD
EUVD-2026-7543
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
funadmin funadmin to 7.1.0 (exc)
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2898 is a deserialization vulnerability in funadmin versions up to 7.1.0-rc4, specifically in the getMember function of the file app/common/service/AuthCloudService.php within the Backend Endpoint component.

The vulnerability occurs because the argument cloud_account, which comes from user-controlled cookie data, is deserialized without proper validation. This unsafe deserialization allows attackers to supply malicious serialized data.

Exploitation can be performed remotely and requires some user interaction. Attackers can leverage gadget chains from the League Flysystem dependency to perform arbitrary file writes on the server, potentially leading to remote code execution.

The vulnerability affects several backend endpoints that invoke getMember(), including upgrade and addon related endpoints. The vendor was notified but did not respond or provide any mitigation.

Impact Analysis

This vulnerability impacts the confidentiality, integrity, and availability of the affected system.

An attacker can exploit this flaw to write arbitrary files on the server, including malicious PHP code, which can lead to remote code execution.

Successful exploitation allows an attacker to fully compromise the backend system without requiring authentication, potentially taking control over the application and its data.

The exploit is publicly available and can be triggered remotely, increasing the risk of attacks.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying the presence of the vulnerable funadmin versions (up to 7.1.0-rc4) and specifically the vulnerable function getMember in the file app/common/service/AuthCloudService.php.

One detection method is to use Google dorking techniques to find exposed endpoints that include the vulnerable file, for example by searching for inurl:app/common/service/AuthCloudService.php.

On your system or network, you can check for requests or traffic targeting the following backend endpoints that invoke the vulnerable getMember function:

  • /backend/addon/index
  • /backend/sys/upgrade/index
  • /backend/sys/upgrade/check
  • /backend/sys/upgrade/backup
  • /backend/sys/upgrade/install

Additionally, monitoring for suspicious cookies named cloud_account containing serialized data or unusual payloads may help detect exploitation attempts.

Mitigation Strategies

There are no known patches or vendor-provided mitigations for this vulnerability as the vendor did not respond to the disclosure.

Immediate mitigation steps include considering replacing the affected product or component (funadmin versions up to 7.1.0-rc4) with a secure alternative.

In the short term, restrict access to the vulnerable backend endpoints to trusted users only and monitor for suspicious activity targeting these endpoints.

Implement network-level protections such as web application firewalls (WAFs) to detect and block malicious serialized payloads or exploitation attempts involving the cloud_account cookie.

Avoid user interaction with untrusted sources that might trigger the vulnerability, as exploitation requires some user interaction.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart