CVE-2026-56020
Received Received - Intake
Authentication Bypass via Forged HTTP Header in Webmin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-56020
EUVD
EUVD-2026-37909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webmin webmin 2.641
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user who has a configured SSL client certificate by sending a forged HTTP header.

A remote attacker can spoof certificate Distinguished Names (DNs) and authenticate as any user without needing valid credentials.

This issue was fixed in Webmin version 2.641.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to gain unauthorized access by impersonating any user with a configured SSL client certificate.

Such unauthorized access can lead to data breaches, unauthorized actions performed on behalf of legitimate users, and compromise of system integrity.

Given the high CVSS scores (9.2 for v4.0 and 8.1 for v3.1), the vulnerability is considered critical and can result in significant confidentiality, integrity, and availability impacts.

Mitigation Strategies

The vulnerability in the Webmin HTTP server (miniserv.pl) allowing unauthenticated attackers to impersonate any user with a configured SSL client certificate is fixed in version 2.641.

Immediate mitigation steps include upgrading Webmin to version 2.641 or later to apply the fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart