CVE-2026-56020
HighCVSS 8.1Summary
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user.
Risk Assessment
This vulnerability poses a serious risk to organizations, allowing attackers to gain access to user accounts without consent. This could lead to unauthorized access to sensitive data.
Recommendation
It is recommended to upgrade to version 2.641 to mitigate this vulnerability. Additionally, consider implementing extra authentication mechanisms.
Original NVD description (English source)
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.

