How is CVE-2026-49103 exploited?

Network reachability (required): The attacker must be able to reach the Webmin service over the network; the component is network-exposed by design. Authentication (required): A low-privilege authenticated account is sufficient; no administrative access is needed to trigger the unsafe filename construction. Victim interaction (not-required): No user interaction is required; the attacker can trigger the vulnerability directly without involving another user. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-49103?

A successful attacker reads sensitive files on the Webmin host, including credentials, configuration files, and stored mail attachments. The attacker writes or overwrites arbitrary files on the host, enabling persistent backdoor installation or configuration tampering. The attacker can crash or destabilize the Webmin service, disrupting administrative access to the host. Because both system and downstream scope scores are High across confidentiality, integrity, and availability, the attacker can pivot to connected systems and services that Webmin manages.

Back to search

CRITICALCVE-2026-49103Published 2026-05-27Modified 2026-05-27CNA mitre

CVE-2026-49103: Webmin before 2

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a path traversal or unsafe filename construction vulnerability in Webmin's mailboxes component, specifically in mailboxes/detachall.cgi, affecting all versions before 2.640. An authenticated attacker can reach it over the network with a low-privilege account and no victim interaction required. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of both the local system and any systems it connects to. A patched-image rebuild at version 2.640 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49103 is available across every HarborGuard environment - the CVE is matched against customer images within minutes of publication from upstream advisory feeds, covering both third-party base images and custom-built images that bundle Webmin. Any image with a Webmin installation below 2.640 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.4 Critical (CVSS v4.0) and can weight that score against each customer environment's compliance policy to prioritize routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Webmin 2.640 becomes available in HarborGuard as soon as the fix version is confirmed in the upstream advisory record. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Webmin service over the network; the component is network-exposed by design.
AuthenticationRequired
A low-privilege authenticated account is sufficient; no administrative access is needed to trigger the unsafe filename construction.
Victim interactionNot required
No user interaction is required; the attacker can trigger the vulnerability directly without involving another user.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

A successful attacker reads sensitive files on the Webmin host, including credentials, configuration files, and stored mail attachments.
The attacker writes or overwrites arbitrary files on the host, enabling persistent backdoor installation or configuration tampering.
The attacker can crash or destabilize the Webmin service, disrupting administrative access to the host.
Because both system and downstream scope scores are High across confidentiality, integrity, and availability, the attacker can pivot to connected systems and services that Webmin manages.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49103 is active across all scanning pipelines, matching images that bundle any Webmin version below 2.640. For environments with auto-remediation enabled, HarborGuard can rebuild the affected image at Webmin 2.640, run a regression test pass, and open a PR against the affected workload - median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the CVE appears in the prioritized findings queue with its 9.4 Critical score and CVSS vector detail so that engineering teams can act manually. Customers should treat this as an urgent patch given the network-accessible attack surface and the full-system impact across both local and downstream scope.

See how HarborGuard automates this

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: 2.640
Affected Products: 1

Fix available

2.640

Affected packages

Webmin / Webmin
< 2.640 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available