Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36724 is a vulnerability in FastapiAdmin version 2.2.0 and earlier where an uncaught exception occurs in the /application/job/update/{id} endpoint.

The issue arises because the func field of scheduled tasks is not properly validated before being saved to the database.

If an attacker with the module_task:job:update permission manipulates the func field to a value without a dot (.), the application fails to restart during initialization.

This failure happens because the init_system_scheduler() method tries to split the func field into a module path and function name using rsplit(".", 1), and if this parsing fails, an uncaught exception crashes the application startup.

As a result, the application experiences a Denial of Service (DoS) due to the lack of proper exception handling during task initialization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) condition in the FastapiAdmin application.

An attacker with the appropriate permission can manipulate the func field of scheduled tasks to trigger an uncaught exception that crashes the application during startup.

This means the application will fail to restart properly, potentially leading to downtime and disruption of services that depend on FastapiAdmin.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the FastapiAdmin application, specifically the /api/v1/application/job/update/{id} endpoint. Signs of exploitation include application startup failures or crashes related to task initialization.

Since the issue arises when the func field of scheduled tasks is manipulated to a value without a dot (.), you can detect suspicious inputs by querying the database or logs for scheduled tasks where the func field does not contain a dot.

Suggested commands to detect potential exploitation or presence of vulnerable configurations include:

• Query the database for scheduled tasks with invalid func fields, for example (SQL): SELECT * FROM scheduled_tasks WHERE func NOT LIKE '%.%';
• Check application logs for uncaught exceptions or crashes during startup related to task initialization.
• Use network monitoring tools to detect repeated requests to the /api/v1/application/job/update/{id} endpoint with suspicious payloads manipulating the func field.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Implement input validation to ensure the func field contains a valid module path and function name with a dot (.) before saving scheduled tasks.
• Add proper exception handling during task initialization to catch parsing errors and prevent application crashes.
• Review and validate existing task configurations in the database to identify and correct any invalid func field values.
• Restrict the module_task:job:update permission to trusted users only to reduce the risk of exploitation.

Useful 0 Not Useful 0