Security Advisory - Published 2026-06-19 - Webmin
Webmin CVEs: patch to 2.641, then review authentication logs
Webmin 2.641 fixes a cluster of authentication and configuration exposure issues. Exposed control panels should patch first, then review who reached miniserv and whether certificate, MFA, or module configuration behavior changed.
Affected items
| CVE | Issue | Fixed | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-56020 | Webmin - SSL client certificate impersonation risk | 2.641 | login history, miniserv configuration, and certificate-auth users | 9.2 |
| CVE-2026-56021 | Webmin - module configuration file read risk | 2.641 | module access, unexpected reads, and exposed configuration | 6.9 |
| CVE-2026-56022 | Webmin - MFA/session bypass risk | 2.641 | MFA settings, session logs, and authentication sources | 6.9 |
Owner self-check
dpkg -l | grep -i webmin || rpm -qa | grep -i webmin
grep -nE 'port=|ssl=|allow=|deny=|trusted|session|twofactor' /etc/webmin/miniserv.conf 2>/dev/null
tail -n 200 /var/webmin/miniserv.log 2>/dev/null
tail -n 200 /var/webmin/miniserv.error 2>/dev/null
find /etc/webmin /var/webmin -type f -mtime -7 2>/dev/nullWhat to review
- Public Webmin exposure. Restrict the listener to VPN, bastion, or trusted IP ranges.
- Recent logins, failed logins, user creation, password changes, and module access.
- Certificate-authenticated users and any proxy or header-related authentication settings.
- Configuration reads from module directories and unexpected changes under
/etc/webmin.
Safe fix path
- Upgrade Webmin to 2.641 or newer.
- Restrict external access before reopening the panel.
- Rotate Webmin admin credentials if the panel was internet-exposed.
- Preserve miniserv logs before cleanup if login activity looks unusual.
Repair help
Use Ping7 CVE Repair when Webmin was exposed to the internet, logs show unknown users, configuration changed, or the server also hosts customer sites that may need follow-up review.