Webmin 2.641 Fixes Vulnerabilities That Could Bypass 2FA and Impersonate Users

Webmin administrators should upgrade to the latest release after multiple security issues were disclosed in the web-based server administration tool. The flaws affect older Webmin versions and include stored cross-site scripting, privilege escalation, unsafe email attachment handling, two-factor authentication bypass, and user impersonation risks.

The most serious issue in public vulnerability records is CVE-2026-56020, which can allow an unauthenticated attacker to impersonate a Webmin user configured with SSL client certificate authentication under certain proxy-related conditions. The NVD entry for CVE-2026-56020 says the Webmin HTTP server can accept a forged header that spoofs certificate distinguished names.

Webmin’s own security page lists several related fixes across recent releases. The project has made Webmin 2.641 available, and administrators should move to that version or later to cover the latest disclosed issues.

What Webmin fixed

Webmin is used to manage Unix-like servers from a browser, including users, services, web servers, mail, databases, DNS and system configuration. That makes Webmin a high-value target because a successful compromise can affect the whole server.

The Webmin 2.641 release added trusted proxy IP support and fixed bugs in the System and Server Status module. The security fixes matter most for exposed Webmin panels or environments where multiple users have delegated access.

Some flaws require an attacker to already have a Webmin account. Others depend on specific modules, mail handling, client certificate authentication, or 2FA configuration. Administrators should not ignore them because Webmin often runs with enough privileges to change system-level settings.

Issue	Affected area	Main risk	Fixed in
CVE-2026-22678	System and Server Status module	Stored XSS through notification template descriptions	Webmin 2.641
CVE-2026-49102	Read User Mail module	XSS through malicious SVG email attachments	Webmin 2.640
CVE-2026-49103	Mailbox attachment handling	Unsafe attachment filename handling and file overwrite risk	Webmin 2.640
CVE-2026-56022	Authentication handling	2FA bypass through Basic Authentication behavior	Webmin 2.641
CVE-2026-56020	miniserv.pl and client certificate authentication	User impersonation through forged certificate headers	Webmin 2.641

Stored XSS in the System and Server Status module

CVE-2026-22678 affects Webmin before 2.641. The vulnerability sits in the email template description field used by the System and Server Status module.

The CVE-2026-22678 record says a low-privileged authenticated attacker can inject unsanitized input that later runs JavaScript in an administrator’s browser when the template is viewed.

That means the attacker still needs access and a path to create or modify notification email templates. However, stored XSS in an administration panel can still have serious impact because it can target privileged users inside the same interface.

Help feature and mail module issues raise privilege risks

Webmin also fixed a privilege escalation issue in versions before 2.640 involving the built-in Help feature. The project says untrusted Webmin users could use help pages to execute commands with root privileges, regardless of which modules their account could access.

The Webmin security advisory page also lists two Read User Mail module issues. One involves malicious SVG attachments, while the other involves unsafe file naming when saving detached email attachments.

The SVG issue is tracked as CVE-2026-49102. The Red Hat CVE page says Webmin before 2.640 can allow XSS when an SVG attachment is viewed in the mailboxes component because it is served with an unsafe content type.

• Restrict Webmin accounts to users who genuinely need server administration access.
• Disable modules that are not required.
• Do not let untrusted users manage notification templates or mailbox features.
• Review mail attachment handling if Webmin’s mail modules are enabled.
• Patch before investigating feature-level workarounds.

Attachment handling could overwrite files

CVE-2026-49103 affects attachment saving in the mailboxes component. The issue comes from unsafe filename construction when detaching email attachments.

The GitHub advisory for CVE-2026-49103 says Webmin before 2.640 does not safely construct a filename when saving an attachment through mailboxes/detachall.cgi.

File overwrite issues in an administrative tool can become dangerous when combined with other weaknesses. Even if one issue looks limited on its own, attackers often chain smaller flaws to gain persistence or move from a low-privileged account to broader control.

2FA bypass weakens account protection

Two-factor authentication should reduce the damage from stolen passwords, but the Webmin flaws show how implementation details can weaken that protection. CVE-2026-42210 and CVE-2026-56022 are tied to Basic Authentication behavior that can bypass the extra 2FA step when valid credentials are supplied.

The NVD page for CVE-2026-56022 says Webmin accepts Basic Authentication without session cookies when a request includes the “User-Agent: webmin” header, allowing attackers to bypass additional MFA requirements.

This is not a passwordless login bypass. The attacker still needs the correct username and password. Still, it reduces the value of 2FA for Webmin accounts and increases the risk from phishing, credential stuffing, leaked passwords, and reused administrator credentials.

Attack condition	What the attacker needs	Possible outcome
Stored XSS in templates	Low-privileged Webmin access and template permissions	Script execution in an admin browser
Help feature privilege escalation	Untrusted Webmin account on an affected version	Command execution with root privileges
Basic Authentication 2FA bypass	Valid username and password	Access without completing the 2FA flow
SSL client certificate spoofing	Direct access to a vulnerable miniserv.pl setup with affected certificate trust behavior	Impersonation of users configured with SSL client certificates

The impersonation flaw is the highest-risk issue

CVE-2026-56020 is the most alarming issue because it can allow remote user impersonation in affected setups. It involves Webmin’s miniserv.pl server and environments that trust SSL client certificate data passed through headers.

The vulnerability becomes possible when Webmin trusts remote IP addresses provided by a proxy while also using client SSL certificate authentication. In that configuration, a direct browser connection can provide a forged header and fake the client certificate identity.

This is why administrators should review reverse proxy and trusted proxy settings after upgrading. The issue does not mean every Webmin server is automatically open to unauthenticated takeover, but affected certificate-based authentication setups need urgent attention.

Older Webmin flaws add more exposure

The latest disclosures also sit on top of older Webmin security issues. These include Squid module privilege escalation in versions before 2.600, host header injection in password reset behavior in Webmin 2.510 and below, and the client certificate trust issue listed for older deployments.

The Webmin 2.640 release notes show several security-relevant fixes, including safer session cookies, safer mailbox attachment handling, safer winmail.dat decoding, and a fix to prevent two-factor authentication bypass in RPC requests.

The later Webmin 2.641 update should now be treated as the minimum safe target for administrators managing internet-facing or shared Webmin systems.

• Upgrade Webmin to 2.641 or later.
• Check whether Webmin is exposed to the public internet.
• Limit access to trusted IP addresses or a VPN.
• Disable Basic Authentication if it is not required in your environment.
• Review reverse proxy and trusted proxy header settings.
• Remove stale Webmin users and avoid shared administrator accounts.
• Audit modules granted to non-root Webmin users.
• Review logs for unexpected Basic Authentication and certificate-based logins.

What administrators should do now

Administrators should update first and investigate second. A vulnerable Webmin panel gives attackers a direct path to sensitive server controls, especially when Webmin is exposed beyond a trusted management network.

The 2.640 release addressed several authentication and mailbox-handling issues, while 2.641 addresses the latest System and Server Status XSS item and proxy-related improvements. Systems below either version need prompt attention.

After patching, teams should review whether Webmin needs to be reachable from the internet at all. In most production environments, management panels should sit behind a VPN, allowlist, bastion host, or other access control layer.

Why Webmin flaws matter

Webmin is not a normal web application. It is an administrative control plane for servers. That means XSS, authentication bypass, file overwrite, and command execution bugs can have higher impact than similar issues in a low-privilege application.

Attackers who compromise Webmin can potentially manage services, change users, modify configuration files, access logs, adjust web server settings, and pivot into hosted applications. That risk grows when organizations give multiple users Webmin access without strict module controls.

The safest response is straightforward: upgrade to Webmin 2.641 or later, reduce exposure, audit accounts, and disable modules that do not serve a clear operational need.

FAQ