CVE-2026-2894 is a medium severity information disclosure vulnerability affecting funadmin versions 7.1.0-rc1 through 7.1.0-rc4. The flaw resides in the getMember function located in the app/frontend/view/login/forget.html file. This function can be manipulated remotely by an unauthenticated attacker to disclose sensitive information, likely related to user membership or account details. The vulnerability does not require any privileges or user interaction, making it easier to exploit. The attack vector is network-based, allowing remote exploitation. The vendor was contacted early but has not issued any patch or advisory, and the exploit code is publicly available, increasing the risk of exploitation by malicious actors. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) indicates low complexity and no authentication required, with partial impact on confidentiality. No known active exploitation has been reported, but the presence of public exploit code elevates the threat. The vulnerability could lead to unauthorized disclosure of user data, which may facilitate further attacks such as social engineering or account takeover attempts.

The primary impact of CVE-2026-2894 is unauthorized disclosure of sensitive information from funadmin installations running affected versions. This can compromise user privacy and confidentiality of membership or login-related data. Organizations relying on funadmin for user management or authentication may face data leakage risks, potentially damaging their reputation and violating data protection regulations. Although the vulnerability does not directly allow code execution or system takeover, the exposed information could be leveraged by attackers for targeted phishing, credential stuffing, or other follow-up attacks. The lack of vendor response and public exploit availability increases the likelihood of exploitation attempts. The medium severity rating reflects the moderate but significant risk posed by this vulnerability, especially in environments with sensitive user data or high-value targets.

To mitigate CVE-2026-2894, organizations should immediately assess their use of funadmin and identify if affected versions (7.1.0-rc1 through 7.1.0-rc4) are deployed. Since no official patch is available, consider the following specific actions: 1) Restrict external access to the vulnerable getMember function or the forget.html page via network-level controls such as firewalls or web application firewalls (WAFs). 2) Implement strict input validation and output encoding on the affected endpoint if possible, to reduce information leakage. 3) Monitor logs for unusual access patterns targeting the forget.html page or getMember function. 4) Consider temporarily disabling or restricting the password reset or membership retrieval features until a patch or vendor guidance is available. 5) Engage with the funadmin community or maintainers for updates or unofficial patches. 6) Educate users and administrators about the risk and encourage vigilance against phishing or social engineering attacks that might leverage leaked information. 7) Plan for an upgrade or migration to a patched or alternative solution once available. These targeted mitigations go beyond generic advice by focusing on access controls, monitoring, and feature restrictions specific to the vulnerability context.