CVE Catalog

CVE-2026-56022

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in version 2.641.

Risk Assessment

The organization may be exposed to attacks that bypass multi-factor authentication, increasing the risk of unauthorized access to the system.

Recommendation

It is recommended to update Webmin to version 2.641 or newer to mitigate this vulnerability.

Original NVD description (English source)

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS