CVE Catalog

CVE-2026-56020

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Summary

The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user.

Risk Assessment

This vulnerability poses a serious risk to organizations, allowing attackers to gain access to user accounts without consent. This could lead to unauthorized access to sensitive data.

Recommendation

It is recommended to upgrade to version 2.641 to mitigate this vulnerability. Additionally, consider implementing extra authentication mechanisms.

Original NVD description (English source)

The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS