CVE-2026-2976
Received Received - Intake
Information Disclosure via Remote File Path Manipulation in FastApiAdmin Download Endpoint

Publication date: 2026-02-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2976
EUVD
EUVD-2026-7608
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastapiadmin fastapiadmin to 2.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server, compromising confidentiality. Attackers can remotely exploit this flaw to read critical system files or private data, which may facilitate further attacks or system compromise.

Because the exploit is publicly available and easy to execute, systems using affected FastApiAdmin versions are at moderate risk of being targeted.

Compliance Impact

I don't know

Executive Summary

CVE-2026-2976 is an information disclosure vulnerability in FastApiAdmin versions up to 2.2.0. It affects the download_controller function in the Download Endpoint component. The vulnerability occurs because the file_path argument is improperly handled, allowing an attacker to manipulate it to access sensitive files on the server remotely without proper authorization.

Specifically, the endpoint accepts arbitrary file_path parameters without sanitization or canonicalization, enabling attackers to use absolute paths or path traversal payloads to read sensitive server files such as /etc/passwd or private keys.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the affected FastApiAdmin download endpoint for improper handling of the file_path parameter. Specifically, attempts to download sensitive files using path traversal payloads or absolute paths can reveal the vulnerability.'}, {'type': 'paragraph', 'content': 'You can try sending HTTP requests to the endpoint `/api/v1/common/file/download` with crafted file_path parameters to check if unauthorized files can be accessed.'}, {'type': 'list_item', 'content': "Use curl or similar tools to request sensitive files, for example: curl -X GET 'http://<target>/api/v1/common/file/download?file_path=/etc/passwd'"}, {'type': 'list_item', 'content': "Test path traversal payloads such as: curl -X GET 'http://<target>/api/v1/common/file/download?file_path=../../../../etc/passwd'"}, {'type': 'paragraph', 'content': 'Successful retrieval of sensitive files like /etc/passwd indicates the presence of the vulnerability.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable download endpoint and validating the file_path parameter rigorously.

  • Enforce strict path validation and canonicalization to prevent absolute paths and path traversal sequences.
  • Restrict downloads to a safe upload directory or map logical IDs to files instead of accepting arbitrary file paths.
  • Validate user permissions on a per-file basis to ensure only authorized access.
  • Serve files through a controlled, safe API or use signed, short-lived download tokens.

If possible, replace the affected FastApiAdmin component with an alternative product or update to a version that addresses this issue once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart