CVE-2026-36724
Description
FastapiAdmin v2.2.0 is vulnerable to DoS via unvalidated func field in scheduled tasks, allowing authenticated users to crash the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FastapiAdmin v2.2.0 is vulnerable to DoS via unvalidated `func` field in scheduled tasks, allowing authenticated users to crash the application.
Vulnerability
An uncaught exception vulnerability exists in FastapiAdmin versions up to and including 2.2.0. The /api/v1/application/job/update/{id} endpoint allows manipulation of the func field of scheduled tasks without proper validation. When the application restarts, the init_system_scheduler() method attempts to reload tasks, parsing the func field using rsplit('.', 1). If this operation fails to unpack into two variables due to malformed input, an uncaught exception occurs, preventing the web server from starting [1].
Exploitation
An authenticated attacker with the module_task:job:update permission can exploit this vulnerability. The attacker needs to update an existing scheduled task and manipulate its func field with invalid data that will cause the rsplit operation to fail during task reloading. This will trigger an uncaught exception upon application restart, leading to a denial of service [1].
Impact
Successful exploitation of this vulnerability results in a Denial of Service (DoS). The application will fail to initialize and the web server will be unable to start, rendering the service unavailable to all users until the issue is resolved [1].
Mitigation
To mitigate this vulnerability, input validation should be implemented on the func field to ensure it contains valid module paths. Additionally, proper exception handling should be added to the task initialization process, and task configurations should be validated before being persisted to the database. The affected versions are FastapiAdmin ≤ 2.2.0. A fixed version is not yet disclosed in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An uncaught exception occurs when parsing the 'func' field of scheduled tasks during application initialization."
Attack vector
An authenticated attacker with the 'module_task:job:update' permission can exploit this vulnerability. The attacker first creates or identifies an existing scheduled task. Then, they modify this task via the `/application/job/update/{id}` endpoint, setting the `func` field to a value that does not contain a '.' character. When the application restarts, the `init_system_scheduler` method attempts to reload the task, causing an unhandled exception during the parsing of the `func` field, leading to a denial of service.
Affected code
The vulnerability lies within the `init_system_scheduler` method in `/backend/app/plugin/module_task/job/tools/ap_scheduler.py`. Specifically, the `rsplit('.', 1)` operation on the `job_info.func` field is not enclosed in a try-except block, leading to an uncaught exception if the field is malformed. The `update_obj_controller` in `/backend/app/plugin/module_task/job/controller.py` and `update_job_service` in `/backend/app/plugin/module_task/job/service.py` are involved in the modification of the task, but lack validation for the `func` field.
What the fix does
The advisory indicates that mitigation requires implementing input validation on the `func` field to ensure it contains valid module paths. Additionally, proper exception handling should be added in the task initialization process, and task configurations should be validated before persisting them to the database. The provided reference does not include a patch, so these are the recommended remediation steps.
Preconditions
- authThe attacker must be authenticated and possess the 'module_task:job:update' permission.
- inputThe attacker needs to manipulate the 'func' field of a scheduled task to a value lacking a '.' character.
Reproduction
1. Create a normal job with the `func` field set to `scheduler_test.job` and note the returned job ID. 2. Modify this job via a PUT request to `/application/job/update/{id}`, changing the `func` field to a value without a '.' character (e.g., `invalid_func`). 3. Restart the application. The server will fail to restart due to an uncaught exception.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.