Webmin Vulnerabilities: Auth Bypass Flaws Fixed in 2.641

Webmin 2.641 Fixes Three Vulnerabilities Including a Critical Auth Bypass

Do Son June 24, 2026 2 minutes read

At a glance

Product: Webmin
Vulnerabilities: 3 flaws (CVE-2026-56020, CVE-2026-56021, CVE-2026-56022)
Highest severity: 9.2 (Critical · CVSSv4)
Worst impact: HTTP header authentication bypass
Status: No confirmed exploitation yet; patches available
Action: Update to 2.641 now

CVE	CVSS (CVSSv4)	Type	Fixed in	Status
CVE-2026-56020	9.2	HTTP header authentication bypass	2.641	Not exploited
CVE-2026-56021	6.9	information disclosure via regex pattern	—	Not exploited
CVE-2026-56022	6.9	MFA bypass	2.641	Not exploited

TL;DR

Webmin released version 2.641 to fix three Webmin vulnerabilities. The most serious one lets an unauthenticated attacker impersonate any user. Two others bypass MFA and expose configuration files. So far, no public exploitation has been confirmed.

Why It Matters

Webmin runs on Unix-like servers as a web-based admin panel. It reaches an estimated 1,000,000 installations each year. Therefore, one flaw can hand attackers control of many systems. The tool manages users, services, DNS servers, and databases. As a result, a single breach here can expose the whole stack. Admin panels also sit at the heart of server trust, which raises the stakes.

How the Attacks Work

CVE-2026-56020 (CVSS 9.2)

The Webmin HTTP server, miniserv.pl, trusts a forged HTTP header. As a result, a remote attacker can spoof certificate DNs. Then they authenticate as any configured user without credentials. This bug is the critical one.

CVE-2026-56022 (CVSS 6.9)

A crafted ‘User-Agent: webmin’ header makes Webmin accept basic auth with no session cookie. Thus, the attacker slips past added MFA checks.

CVE-2026-56021 (CVSS 6.9)

A bypassable regex lets unauthenticated users read any file ending in .conf inside module directories. As a result, attackers can harvest settings and secrets from those files.

Affected Versions

All three Webmin vulnerabilities affect releases before 2.641. The reported bugs hit default setups, not just edge configurations. The vendor advisory lists each issue in full.

Patch and Mitigation

Update now to Webmin 2.641, which closes all three holes. You can grab it from the official release page. No standalone workaround matches the fix, so patch quickly. Until you upgrade, restrict network access to the Webmin port. Also watch logs for odd User-Agent strings and unexpected certificate logins.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Critical Alert 4 Active Exploits Detected Today

Leave a Reply Cancel reply