Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User
Multiple critical vulnerabilities in Webmin before version 2.641 allow attackers to impersonate users, bypass 2FA, and gain root access.
Critical security flaws in Webmin have exposed systems to severe risks, allowing attackers to impersonate users, bypass authentication, and gain root-level control across affected environments. Webmin, a widely used web-based system administration tool for Unix-like systems, has disclosed multiple vulnerabilities affecting versions before 2.641. These issues range from stored cross-site scripting (XSS) to privilege escalation and authentication bypass flaws, significantly increasing the attack surface for both remote and insider threats.
One of the most critical issues, tracked as CVE-2026-22678, is a stored XSS vulnerability in the System and Server Status module. An attacker with limited Webmin access can inject malicious scripts into notification templates. When viewed by an administrator, the payload executes in the context of the root user, enabling full system compromise. Another high-risk vulnerability involves privilege escalation via the built-in Help feature in versions before 2.640. This flaw allows untrusted users to execute arbitrary commands with root privileges, regardless of their assigned module permissions, effectively breaking Webmin's access control model.
In addition, multiple vulnerabilities in the Read User Mail module further expand the scope of exploitation. CVE-2026-49102 enables XSS via malicious SVG email attachments, while CVE-2026-49103 allows file overwrites due to unsafe filename handling when detaching email attachments. These issues can be chained to achieve persistent compromise. Critically, Webmin also suffers from a two-factor authentication bypass (CVE-2026-42210 and CVE-2026-56022). Attackers can bypass 2FA protections by using HTTP Basic Authentication instead of the standard session-based login. Although valid credentials are still required, this flaw undermines a key security control designed to prevent account takeover.
Earlier versions of Webmin are also affected by several severe vulnerabilities. These include command execution via the Squid module (CVE-2025-67738), host header injection in password reset functionality (CVE-2025-61541), and SSL trust misconfigurations allowing attackers to spoof client certificates (CVE-2026-56020). For example, an attacker with limited Webmin access could exploit the Help feature to gain root privileges, then leverage the 2FA bypass to maintain unauthorized access even on hardened accounts, effectively impersonating legitimate administrators.
Security researchers from multiple organizations, including TIM Security Red Team and independent contributors, have reported these issues, highlighting ongoing risks in widely deployed administrative tools. Users are strongly advised to upgrade to the latest Webmin version immediately. Administrators should also turn off unnecessary modules, enforce strict access controls, and avoid granting Webmin access to untrusted users. Additionally, reviewing authentication mechanisms and disabling Basic Authentication where possible can help mitigate the risk of 2FA bypass.
Organizations relying on Webmin for infrastructure management should treat these vulnerabilities as a high priority, as exploitation could result in a full system takeover, data exposure, and persistent attacker access. The disclosure follows a pattern of critical flaws in server management tools, underscoring the need for rigorous patch management and defense-in-depth strategies.