(Image: Artur Szczybylo/Shutterstock.com). Webmin is vulnerable to multiple security flaws. In addition to 2FA bypasses, root-level attacks are also possible. The developers have now released security patches. The admin tool for Unix servers, Webmin, is vulnerable. Attackers can, among other things, bypass two-factor authentication (2FA). However, root-level attacks are also conceivable. Patched versions are available for download.
Unauthorized access. For the 2FA vulnerability (CVE-2026-42210), a threat severity rating apparently still needs to be assigned. The emergency team CERT Bund from the BSI rates the danger overall as “critical” in a [1] post.
In the security section of the Webmin website [2], the developers explain that attackers can bypass 2FA via Basic HTTP authentication. However, for a successful attack, attackers must know the username and password. In this case, only the one-time code of the 2FA is bypassed.
According to the developers, the root vulnerability is located in the tool’s integrated help pages. How such an attack could occur in detail is currently unclear. If an attack succeeds, attackers should be able to access instances as a root user. In such a position, it can be assumed that attackers gain full control over systems. Because the tool is used to manage servers remotely, such an attack can have far-reaching consequences.
The third now-patched vulnerability affects the Squid module. At this point, root-level attacks are also conceivable in the context of the installed Squid cache manager. Here too, it is currently unknown how an attack could occur. To date, there are no reports from the developers that attackers have already exploited the security vulnerabilities.
Install updates. Admins should ensure they have installed at least Webmin version 2.640 with security patches. Currently, version 2.641 is current.
Webmin version 2.600 from last November [3] brought a completely redesigned user interface.
(des [5]). URL of this article:
https://www.heise.de/-11298189
Links in this article:
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1561
https://webmin.com/security/#privilege-escalation-using-help-feature
https://www.heise.de/news/Webmin-2-600-Groesstes-UI-Update-der-Server-Management-Software-11075882.html
heise security PRO
mailto:des@heise.de
Copyright © 2026 Heise Medien
heise security News