CVE-2026-2976
Information Disclosure via Remote File Path Manipulation in FastApiAdmin Download Endpoint
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastapiadmin | fastapiadmin | to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server, compromising confidentiality. Attackers can remotely exploit this flaw to read critical system files or private data, which may facilitate further attacks or system compromise.
Because the exploit is publicly available and easy to execute, systems using affected FastApiAdmin versions are at moderate risk of being targeted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-2976 is an information disclosure vulnerability in FastApiAdmin versions up to 2.2.0. It affects the download_controller function in the Download Endpoint component. The vulnerability occurs because the file_path argument is improperly handled, allowing an attacker to manipulate it to access sensitive files on the server remotely without proper authorization.
Specifically, the endpoint accepts arbitrary file_path parameters without sanitization or canonicalization, enabling attackers to use absolute paths or path traversal payloads to read sensitive server files such as /etc/passwd or private keys.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the affected FastApiAdmin download endpoint for improper handling of the file_path parameter. Specifically, attempts to download sensitive files using path traversal payloads or absolute paths can reveal the vulnerability.'}, {'type': 'paragraph', 'content': 'You can try sending HTTP requests to the endpoint `/api/v1/common/file/download` with crafted file_path parameters to check if unauthorized files can be accessed.'}, {'type': 'list_item', 'content': "Use curl or similar tools to request sensitive files, for example: curl -X GET 'http://<target>/api/v1/common/file/download?file_path=/etc/passwd'"}, {'type': 'list_item', 'content': "Test path traversal payloads such as: curl -X GET 'http://<target>/api/v1/common/file/download?file_path=../../../../etc/passwd'"}, {'type': 'paragraph', 'content': 'Successful retrieval of sensitive files like /etc/passwd indicates the presence of the vulnerability.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable download endpoint and validating the file_path parameter rigorously.
- Enforce strict path validation and canonicalization to prevent absolute paths and path traversal sequences.
- Restrict downloads to a safe upload directory or map logical IDs to files instead of accepting arbitrary file paths.
- Validate user permissions on a per-file basis to ensure only authorized access.
- Serve files through a controlled, safe API or use signed, short-lived download tokens.
If possible, replace the affected FastApiAdmin component with an alternative product or update to a version that addresses this issue once available.