CVE-2026-56022
Received Received - Intake
Authentication Bypass in Webmin via User-Agent Header

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-56022
EUVD
EUVD-2026-37907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webmin webmin 2.641
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-308 The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can allow unauthorized attackers to bypass MFA protections and gain access to Webmin without proper authentication. This increases the risk of unauthorized access to system management interfaces, potentially leading to system compromise or unauthorized changes.

Mitigation Strategies

The vulnerability is fixed in Webmin version 2.641. Immediate mitigation involves upgrading Webmin to version 2.641 or later.

Executive Summary

This vulnerability in Webmin allows an attacker to bypass additional multi-factor authentication (MFA) requirements by providing a specific HTTP header 'User-Agent: webmin'. When this header is present, Webmin accepts basic authentication without requiring session cookies, which normally help enforce MFA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart