CVE-2026-56022
Awaiting Analysis
Awaiting Analysis - Queue
Authentication Bypass in Webmin via User-Agent Header
Vulnerability report for CVE-2026-56022, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-18
Last updated on: 2026-06-24
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webmin | webmin | 2.641 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-308 | The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor. |