How is CVE-2026-56020 exploited?

Network reachability (required): The attacker must reach the Webmin HTTP server over the network; the service must be exposed on a reachable network interface. Authentication (not-required): No credentials or existing session are needed; the forged HTTP header alone is sufficient to bypass authentication entirely. Victim interaction (not-required): The attack is fully server-side and requires no action from any logged-in user or administrator. Attack complexity (info): Base exploit mechanics are condition-free and reliable, though the CVSS vector notes an attack requirement of specific target conditions (AT:P), meaning the target must have SSL client certificate authentication configured for at least one user.

What is the impact of CVE-2026-56020?

A successful attacker authenticates as any Webmin user, including the root-equivalent admin account, gaining full administrative access to the host system. The attacker can read sensitive configuration files, credentials, and any data accessible through the Webmin interface. The attacker can modify system configuration, add or remove user accounts, change scheduled tasks, and alter service settings on the underlying host. The attacker can terminate services, reboot the host, or otherwise disrupt availability of the system managed by Webmin.

Back to search

CRITICALCVE-2026-56020Published 2026-06-18Modified 2026-06-18CNA cisa-cg

CVE-2026-56020: Webmin HTTP header authentication bypass

The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 2.641
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the Webmin HTTP server (miniserv.pl) where a remote attacker can forge an HTTP header to impersonate any user that has a configured SSL client certificate. The flaw is reachable over the network and requires no prior authentication, making it exploitable by any unauthenticated remote party. Successful exploitation gives the attacker full control over the Webmin instance, including the ability to read data, modify configuration, and disrupt services. A patched-image rebuild at version 2.641 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-56020 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image running Webmin below version 2.641 will be flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 9.2 (Critical) and weighting it against each environment's compliance policy to prioritize routing. Triage alerts can be directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Webmin 2.641 becomes available through HarborGuard once the fix version is resolved against an affected image. For customers who opt into auto-remediation, HarborGuard will perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Webmin HTTP server over the network; the service must be exposed on a reachable network interface.
AuthenticationNot required
No credentials or existing session are needed; the forged HTTP header alone is sufficient to bypass authentication entirely.
Victim interactionNot required
The attack is fully server-side and requires no action from any logged-in user or administrator.
Attack complexityDetail
Base exploit mechanics are condition-free and reliable, though the CVSS vector notes an attack requirement of specific target conditions (AT:P), meaning the target must have SSL client certificate authentication configured for at least one user.

Blast Radius

A successful attacker authenticates as any Webmin user, including the root-equivalent admin account, gaining full administrative access to the host system.
The attacker can read sensitive configuration files, credentials, and any data accessible through the Webmin interface.
The attacker can modify system configuration, add or remove user accounts, change scheduled tasks, and alter service settings on the underlying host.
The attacker can terminate services, reboot the host, or otherwise disrupt availability of the system managed by Webmin.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56020 activates within minutes of publication for all customer environments scanning images that include Webmin. Because this is a Critical-severity authentication bypass with a fix available at version 2.641, environments with auto-remediation enabled are eligible for a rebuilt image, a regression test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, HarborGuard surfaces the finding with full CVSS context and fix-version detail to the configured owner inbox. Customers who cannot immediately upgrade should consider isolating Webmin instances behind a network policy that restricts inbound access to trusted source IPs, and disabling SSL client certificate authentication features until the patch is applied.

See how HarborGuard automates this

Fix available

2.641

Affected packages

Webmin / Webmin
< 2.641 (from 0)
Fixed in 2.641

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available