CVE-2026-2976

MEDIUM

FastApiAdmin <2.2.0 - Info Disclosure

Title source: llm

Description

A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

References (4)

Core 4

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.347360

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.347360

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.756089

Various Sources exploit

https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-2

Scores

CVSS v3 4.3

EPSS 0.0031

EPSS Percentile 22.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-284 CWE-434

Status published

Products (4)

fastapiadmin/fastapi-admin 2.0

fastapiadmin/fastapi-admin 2.1

fastapiadmin/fastapi-admin 2.2.0

fastapiadmin/fastapiadmin < 2.2.0

Published Feb 23, 2026

Tracked Since Feb 23, 2026