Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User
Cybersecurity NewsArchived Jun 24, 2026✓ Full text saved
Critical security flaws in Webmin have exposed systems to severe risks, allowing attackers to impersonate users, bypass authentication, and gain root-level control across affected environments. Webmin, a widely used web-based system administration tool for Unix-like systems, has disclosed multiple vulnerabilities affecting versions before 2.641. These issues range from stored cross-site scripting (XSS) to privilege escalation […] The post Critical Webmin Vulnerabilities Allow Attackers to Impers
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User
By Abinaya
June 24, 2026
Critical security flaws in Webmin have exposed systems to severe risks, allowing attackers to impersonate users, bypass authentication, and gain root-level control across affected environments.
Webmin, a widely used web-based system administration tool for Unix-like systems, has disclosed multiple vulnerabilities affecting versions before 2.641.
These issues range from stored cross-site scripting (XSS) to privilege escalation and authentication bypass flaws, significantly increasing the attack surface for both remote and insider threats.
Webmin Vulnerabilities
One of the most critical issues, tracked as CVE-2026-22678, is a stored XSS vulnerability in the System and Server Status module.
An attacker with limited Webmin access can inject malicious scripts into notification templates. When viewed by an administrator, the payload executes in the context of the root user, enabling full system compromise.
Another high-risk vulnerability involves privilege escalation via the built-in Help feature in versions before 2.640.
This flaw allows untrusted users to execute arbitrary commands with root privileges, regardless of their assigned module permissions. This effectively breaks Webmin’s access control model.
In addition, multiple vulnerabilities in the Read User Mail module further expand the scope of exploitation.
CVE-2026-49102 enables XSS via malicious SVG email attachments, while CVE-2026-49103 allows file overwrites due to unsafe filename handling when detaching email attachments. These issues can be chained to achieve persistent compromise.
Critically, Webmin also suffers from a two-factor authentication bypass (CVE-2026-42210 and CVE-2026-56022). Attackers can bypass 2FA protections by using HTTP Basic Authentication instead of the standard session-based login.
Although valid credentials are still required, this flaw undermines a key security control designed to prevent account takeover. Earlier versions of Webmin are also affected by several severe vulnerabilities.
These include command execution via the Squid module (CVE-2025-67738), host header injection in password reset functionality (CVE-2025-61541), and SSL trust misconfigurations allowing attackers to spoof client certificates (CVE-2026-56020).
For example, an attacker with limited Webmin access could exploit the Help feature to gain root privileges, then leverage the 2FA bypass to maintain unauthorized access even on hardened accounts, effectively impersonating legitimate administrators.
Security researchers from multiple organizations, including TIM Security Red Team and independent contributors, have reported these issues, highlighting ongoing risks in widely deployed administrative tools.
Users are strongly advised to upgrade to the latest Webmin version immediately. Administrators should also turn off unnecessary modules, enforce strict access controls, and avoid granting Webmin access to untrusted users.
Additionally, reviewing authentication mechanisms and disabling Basic Authentication where possible can help mitigate the risk of 2FA bypass.
Organizations relying on Webmin for infrastructure management should treat these vulnerabilities as a high priority, as exploitation could result in a full system takeover, data exposure, and persistent attacker access.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Google Cloud Vertex AI Allows Attacker to Hijack Victim’s Model and Poison it
Microsoft has urged IT Admins to Prepare for Windows 11, Version 26H2 Update
Microsoft June 2026 Update Bug Exposes Recycle Bin Filenames in Deletion Dialog
Chrome Extensions’ Critical Flaws Let Attackers Easily Compromise Millions of Browsers
Chinese Cyber Contractors Use Malware, Botnets, and Stolen Data to Enable State Operations
Latest News
Cyber Security News
PoC Exploit Released for libssh2 Remote Code Execution Vulnerability
Cyber Security News
Browser-in-the-Browser Kit Uses Fake Software Errors to Deliver Malware Installers
Cyber Security News
GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations
Cyber Security
Red-Team AI Tool Vulnerabilities Let Attackers Exfiltrate API Keys and Compromise Operators’ Systems
Cyber Security News
Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors