CVE Catalog
CVE-2026-56022
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk0.31%
22th percentile — higher than 22% of all known CVEs
Summary
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in version 2.641.
Risk Assessment
The organization may be exposed to attacks that bypass multi-factor authentication, increasing the risk of unauthorized access to the system.
Recommendation
It is recommended to update Webmin to version 2.641 or newer to mitigate this vulnerability.
Original NVD description (English source)
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

