{"id":"CVE-2026-56022","summary":"Webmin MFA bypass","details":"Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.","modified":"2026-07-08T08:13:49.413600256Z","published":"2026-06-18T16:11:22.057Z","database_specific":{"cwe_ids":["CWE-308"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56022.json","cna_assigner":"cisa-cg"},"references":[{"type":"WEB","url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-02.json"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56022.json"},{"type":"ADVISORY","url":"https://github.com/webmin/webmin/releases/tag/2.641"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56022"},{"type":"ADVISORY","url":"https://webmin.com/security/#webmin-prior-to-2641"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-56022"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webmin/webmin","events":[{"introduced":"0"},{"fixed":"ce1ab74c6fe6a7c5f776ba8e62ec0fcf812414c9"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.641"}]}}],"versions":["2.640","2.630","2.621","2.620","2.610","2.600","2.520","2.510","2.501","2.402","2.401","2.400","2.302","2.301","2.202","2.201","2.200","2.111","2.110","2.105","2.104","2.103","2.100","2.021","2.020","2.013","2.012","2.011","2.010","2.003","2.001","2.000","1.999","1.998","1.996","1.995","1.994","1.993","1.991","1.990","1.984","1.983","1.982","1.980","1.974","1.973","1.972","1.970","1.962","1.960","1.955","1.954","1.953","1.951","1.950","1.941","1.940","1.930","1.920","1.910","1.900","1.890","1.880","1.870","1.860","1.850","1.840","1.831","1.830","1.820","1.810","1.801","1.800","1.790","1.780","1.770","1.760","1.750","1.740","1.730","1.720","1.710","1.700"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56022.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}