CVE-2026-2894
Published: 21 February 2026
Summary
CVE-2026-2894 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Funadmin Funadmin. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2894 is an information disclosure vulnerability affecting funadmin versions up to 7.1.0-rc4. The flaw is located in the getMember function of the file app/frontend/view/login/forget.html, where improper handling enables unauthorized access to sensitive data.
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation results in limited disclosure of confidential information (C:L), with no impact on integrity or availability, as scored at CVSS 3.1 level 5.3.
Advisories from VulDB and GitHub references indicate that a public exploit is available and the vendor was notified early but provided no response or patches. Affected systems should be reviewed for exposure in the login recovery functionality, with no official mitigations published.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7531
Vulnerability details
A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might…
more
be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote information disclosure in a publicly accessible web application (login/forget flow) directly enables exploitation of public-facing apps for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on the getMember function so that unauthenticated remote callers cannot retrieve sensitive member data.
Limits and documents actions permitted without identification or authentication, directly blocking the unauthenticated access path exploited in the forget.html endpoint.
Ensures the login-recovery function and its data are only reachable by the minimal set of authorized principals, reducing the impact of the missing access check.