Cyber Resilience

CVE-2026-2896

MediumPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2896 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Funadmin Funadmin. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2896 is an improper authorization vulnerability affecting funadmin versions up to 7.1.0-rc4. The issue resides in the setConfig function within the file app/backend/controller/Ajax.php, part of the Configuration Handler component. It has been assigned CWEs 266 (Incorrect Privilege Assignment) and 285 (Improper Authorization), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers require no privileges or user interaction to exploit this vulnerability via manipulation of the affected function. Successful exploitation enables limited impacts, including low-level confidentiality, integrity, and availability disruptions, stemming from the improper authorization flaw.

Advisories referenced in GitHub issues (https://github.com/I4m6da/CVE/issues/3 and related) and VulDB entries (https://vuldb.com/?ctiid.347207, https://vuldb.com/?id.347207, https://vuldb.com/?submit.753972) detail the issue but report no vendor response despite early contact, implying no official patches or mitigations are available.

A public exploit exists, increasing the risk of real-world attacks against unpatched funadmin instances.

EU & UK References

Vulnerability details

A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit…

more

has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization flaw in publicly accessible web app (Ajax config handler) with no-auth remote exploit directly enables T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2894Same product: Funadmin Funadmin
CVE-2026-2895Same product: Funadmin Funadmin
CVE-2025-1226Shared CWE-266, CWE-285
CVE-2026-1597Shared CWE-266, CWE-285
CVE-2025-8756Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285
CVE-2025-1815Shared CWE-266, CWE-285
CVE-2025-0484Shared CWE-266, CWE-285
CVE-2026-3724Shared CWE-266, CWE-285
CVE-2026-5642Shared CWE-266, CWE-285

Affected Assets

funadmin
funadmin
7.1.0 · ≤ 7.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the setConfig function in Ajax.php, blocking the unauthorized configuration changes described in the CVE.

prevent

Addresses the CWE-266 incorrect privilege assignment by ensuring the Configuration Handler only grants the minimum privileges needed, preventing the remote unauthenticated exploitation.

prevent

Ensures access control decisions for the affected endpoint are made consistently and correctly rather than allowing the flawed logic that leads to improper authorization.

References