CVE-2026-49103 Overview
CVE-2026-49103 is a path traversal vulnerability in Webmin versions before 2.640. The flaw resides in the mailboxes/detachall.cgi component, which fails to safely construct filenames when saving email attachments. An authenticated attacker can craft a malicious email attachment with a manipulated filename to write files to arbitrary locations on the server. The issue is tracked under CWE-24: Path Traversal: '../filedir'.
Critical Impact
Authenticated attackers can write arbitrary files to the Webmin host filesystem, leading to potential remote code execution and full system compromise.
Affected Products
- Webmin versions prior to 2.640
- mailboxes/detachall.cgi component
- mailboxes/detach.cgi component (related fix in same patch)
Discovery Timeline
- 2026-05-27 - CVE-2026-49103 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-49103
Vulnerability Analysis
Webmin is a web-based system administration interface for Unix-like servers. The mailboxes/detachall.cgi script extracts attachments from email messages and writes them to a temporary directory. Before version 2.640, the script used attachment filenames directly from the MIME headers without sanitizing path separators or control characters. An attacker who can deliver email to a mailbox managed by Webmin, or who is authenticated to the Webmin interface, can use a crafted attachment filename to escape the temporary directory.
A related issue in mailboxes/detach.cgi allowed Scalable Vector Graphics (SVG) attachments to be served from the Webmin origin, enabling script execution in the browser context of an administrator.
Root Cause
The root cause is improper input validation of the filename parameter parsed from MIME attachment headers. The unpatched code concatenated the attacker-controlled filename directly into a file path used by open_tempfile, with no stripping of /, \, null bytes, or carriage returns.
Attack Vector
The attack requires network access to the Webmin interface and low-privilege authentication. An attacker submits or triggers processing of an email containing an attachment whose filename MIME parameter contains path traversal sequences such as ../../etc/cron.d/payload. When the administrator invokes the detach-all action, the file is written outside the intended directory.
# Patch in mailboxes/detachall.cgi - Fix unsafe mailbox attachment handling
else {
$fn = "file".(++$n).".".&type_to_extension($a->{'type'});
}
+ $fn =~ s/[\r\n\0]//g;
+ $fn =~ s/\\/\//g;
+ $fn =~ s/^.*\///g;
+ $fn =~ /^\.+$/ && ($fn = "");
+ $fn ||= "file".(++$n);
# Write the file
&open_tempfile(FILE, ">$temp/$fn", 0, 1);
Source: Webmin commit cf432879
The patch strips carriage returns, newlines, and null bytes, normalizes backslashes to forward slashes, removes all leading path components, and rejects dot-only filenames before passing the value to open_tempfile.
Detection Methods for CVE-2026-49103
Indicators of Compromise
- Unexpected files appearing in directories outside the Webmin temporary attachment path, especially in /etc/cron.d/, /etc/cron.hourly/, or web-accessible directories
- Email messages stored in Webmin mailboxes containing MIME attachments with filename parameters that include ../, backslashes, or null bytes
- Modification of system configuration files coinciding with access to /mailboxes/detachall.cgi in Webmin access logs
- New SVG files served from the Webmin origin via mailboxes/detach.cgi
Detection Strategies
- Inspect Webmin access logs for POST and GET requests to mailboxes/detachall.cgi followed by file creation events outside the expected temp path
- Hunt for MIME Content-Disposition headers in mail spools containing path traversal sequences in the filename attribute
- Correlate Webmin authentication events with subsequent filesystem write activity in sensitive directories
Monitoring Recommendations
- Enable filesystem integrity monitoring on /etc/, cron directories, and web roots on hosts running Webmin
- Forward Webmin miniserv.log and webmin.log to a centralized logging platform for query and retention
- Alert on Webmin process spawning unexpected child processes such as shells or interpreters
How to Mitigate CVE-2026-49103
Immediate Actions Required
- Upgrade Webmin to version 2.640 or later on all managed hosts
- Restrict network access to the Webmin administrative port using a firewall or VPN until patching is complete
- Audit recent activity in mailboxes/detachall.cgi and review filesystem changes on affected servers
- Rotate credentials for any Webmin accounts that may have been used during the exposure window
Patch Information
The fix is included in Webmin 2.640. The corrective code, found in commit cf432879, sanitizes attachment filenames by removing control characters, normalizing separators, and stripping directory components. The full diff between vulnerable and fixed releases is available in the Webmin 2.630 to 2.640 comparison.
Workarounds
- Disable the Webmin mailbox module if email management is not required in your deployment
- Limit Webmin user accounts with mailbox access to trusted administrators only
- Place Webmin behind a reverse proxy that enforces strict authentication and inspects request paths
# Verify installed Webmin version and upgrade on Debian/Ubuntu
dpkg -l | grep webmin
wget https://download.webmin.com/download/deb/webmin_2.640_all.deb
sudo dpkg -i webmin_2.640_all.deb
# RHEL/CentOS
rpm -q webmin
sudo rpm -Uvh webmin-2.640-1.noarch.rpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
