CVE-2026-2896
Published: 22 February 2026
Summary
CVE-2026-2896 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Funadmin Funadmin. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-2896 is an improper authorization vulnerability affecting funadmin versions up to 7.1.0-rc4. The issue resides in the setConfig function within the file app/backend/controller/Ajax.php, part of the Configuration Handler component. It has been assigned CWEs 266 (Incorrect Privilege Assignment) and 285 (Improper Authorization), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability via manipulation of the affected function. Successful exploitation enables limited impacts, including low-level confidentiality, integrity, and availability disruptions, stemming from the improper authorization flaw.
Advisories referenced in GitHub issues (https://github.com/I4m6da/CVE/issues/3 and related) and VulDB entries (https://vuldb.com/?ctiid.347207, https://vuldb.com/?id.347207, https://vuldb.com/?submit.753972) detail the issue but report no vendor response despite early contact, implying no official patches or mitigations are available.
A public exploit exists, increasing the risk of real-world attacks against unpatched funadmin instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7536
Vulnerability details
A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit…
more
has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization flaw in publicly accessible web app (Ajax config handler) with no-auth remote exploit directly enables T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the setConfig function in Ajax.php, blocking the unauthorized configuration changes described in the CVE.
Addresses the CWE-266 incorrect privilege assignment by ensuring the Configuration Handler only grants the minimum privileges needed, preventing the remote unauthenticated exploitation.
Ensures access control decisions for the affected endpoint are made consistently and correctly rather than allowing the flawed logic that leads to improper authorization.