MineAdmin Swagger information disclosure
Description
A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MineAdmin 1.x/2.x exposes an unauthenticated Swagger endpoint that leaks API documentation and internal details, with a public exploit available.
Vulnerability
Overview
CVE-2026-1194 describes an information disclosure vulnerability in MineAdmin, MineAdmin, a PHP-based backend management system built on the Hyperf framework [2]. The flaw resides in the Swagger component, where an unknown function allows remote attackers to retrieve sensitive information without authentication [1]. The vendor was contacted but did not respond, and a public exploit has been released [1].
Attack
Vector and Exploitation
The vulnerability
The vulnerability can be triggered remotely by sending a GET request to the /swagger/http.json endpoint [3]. No authentication or special privileges are required, making the attack surface broad for any internet-facing MineAdmin instance. The exploit has been publicly disclosed, increasing the risk of widespread scanning and exploitation [1].
Impact
Successful exploitation leads to information disclosure, revealing the full Swagger API documentation. This includes endpoint paths, request parameters, response structures, and potentially internal system details [3]. An attacker can use this information to map the application's attack surface, identify other vulnerabilities, or craft targeted attacks against authenticated functions.
Mitigation
Status
As of publication, the vendor has not responded to the disclosure and no official patch or advisory has been released [1]. Users are advised to restrict access to the Swagger endpoint, implement authentication for API documentation, or disable Swagger in production environments. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mineadmin/mineadminPackagist | >= 1.0.0, <= 2.0.3 | — |
Affected products
2- MineAdmin/MineAdmindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/SourByte05/MineAdmin-Vulnerability/issues/5ghsabroken-linkexploitissue-trackingWEB
- github.com/advisories/GHSA-7f7m-83r3-p644ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1194ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.