Webmin, a widely utilized web-based system administration tool for Unix-like systems, has disclosed multiple critical vulnerabilities affecting versions prior to 2.641. These flaws expose systems to significant risks, including user impersonation, authentication bypass, and root-level control.
Key Vulnerabilities Identified
One of the most severe issues, designated as CVE-2026-22678, is a stored cross-site scripting (XSS) vulnerability within the System and Server Status module. Attackers with limited Webmin access can inject malicious scripts into notification templates. When an administrator views these templates, the scripts execute with root privileges, potentially leading to full system compromise.
Another critical flaw involves privilege escalation through the built-in Help feature in versions before 2.640. This vulnerability allows untrusted users to execute arbitrary commands with root privileges, effectively bypassing Webmin’s access control mechanisms.
Additional vulnerabilities in the Read User Mail module further expand the attack surface. CVE-2026-49102 enables XSS via malicious SVG email attachments, while CVE-2026-49103 allows file overwrites due to unsafe filename handling when detaching email attachments. Exploiting these issues in combination could lead to persistent system compromise.
Notably, Webmin also suffers from a two-factor authentication (2FA) bypass, identified as CVE-2026-42210 and CVE-2026-56022. Attackers can circumvent 2FA protections by utilizing HTTP Basic Authentication instead of the standard session-based login. Although valid credentials are still required, this flaw undermines a critical security control designed to prevent unauthorized access.
Additional Vulnerabilities in Earlier Versions
Earlier versions of Webmin are affected by several severe vulnerabilities, including:
- Command execution via the Squid module (CVE-2025-67738).
- Host header injection in password reset functionality (CVE-2025-61541).
- SSL trust misconfigurations allowing attackers to spoof client certificates (CVE-2026-56020).
For instance, an attacker with limited Webmin access could exploit the Help feature to gain root privileges, then leverage the 2FA bypass to maintain unauthorized access, effectively impersonating legitimate administrators.
Recommendations and Mitigation
Security researchers from multiple organizations have reported these issues, underscoring the ongoing risks in widely deployed administrative tools. Users are strongly advised to upgrade to the latest Webmin version immediately. Administrators should also disable unnecessary modules, enforce strict access controls, and avoid granting Webmin access to untrusted users. Reviewing authentication mechanisms and disabling Basic Authentication where possible can help mitigate the risk of 2FA bypass.
Organizations relying on Webmin for infrastructure management should treat these vulnerabilities as a high priority, as exploitation could result in full system takeover, data exposure, and persistent attacker access.
These vulnerabilities highlight the critical importance of regular software updates and vigilant security practices. As administrative tools like Webmin are integral to system management, ensuring their security is paramount to maintaining overall system integrity. Organizations must prioritize patching known vulnerabilities and continuously monitor for emerging threats to safeguard their infrastructure.
