CVE-2026-2975: Information Disclosure in FastApiAdmin
CVE-2026-2975 is an information disclosure vulnerability in FastApiAdmin versions up to 2. 2. 0, specifically in the reset_api_docs function within the Custom Documentation Endpoint. This flaw allows remote attackers to manipulate the endpoint to gain unauthorized access to sensitive information without requiring authentication or user interaction. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating medium severity. Although no known exploits are currently observed in the wild, a public exploit has been released, increasing the risk of exploitation. The issue impacts confidentiality but does not affect integrity or availability. Organizations using FastApiAdmin for administrative interfaces or API documentation should prioritize patching or mitigating this vulnerability to prevent data leakage.
AI Analysis
Technical Summary
CVE-2026-2975 is a medium severity information disclosure vulnerability found in FastApiAdmin, an administrative interface tool built on the FastAPI framework. The vulnerability resides in the reset_api_docs function located in the /backend/app/plugin/init_app.py file, which handles the Custom Documentation Endpoint. This function can be manipulated remotely without any authentication or user interaction, allowing attackers to access sensitive internal information that should otherwise be protected. The flaw does not impact the integrity or availability of the system but compromises confidentiality by exposing potentially sensitive API documentation or internal configuration details. The vulnerability affects FastApiAdmin versions 2.0, 2.1, and 2.2.0. The CVSS 4.0 vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality impact (VC:L). No patches have been linked yet, and while no active exploitation has been observed in the wild, a public exploit is available, increasing the urgency for mitigation. The vulnerability could be leveraged by attackers to gather intelligence for further attacks or reconnaissance within targeted environments.
Potential Impact
The primary impact of CVE-2026-2975 is unauthorized disclosure of sensitive information, which can aid attackers in mapping internal APIs, understanding system configurations, or identifying further vulnerabilities. This can lead to increased risk of targeted attacks such as privilege escalation, data breaches, or lateral movement within networks. Organizations relying on FastApiAdmin for managing API documentation or administrative tasks may inadvertently expose critical information to external attackers. The lack of authentication and user interaction requirements makes this vulnerability easier to exploit remotely, increasing the attack surface. While the vulnerability does not directly disrupt system availability or data integrity, the confidentiality breach can have significant downstream effects, including compliance violations, reputational damage, and facilitation of more severe attacks.
Mitigation Recommendations
To mitigate CVE-2026-2975, organizations should first verify if they are using affected versions of FastApiAdmin (2.0, 2.1, or 2.2.0) and plan immediate upgrades once patches become available. Until official patches are released, restrict access to the reset_api_docs endpoint by implementing network-level controls such as IP whitelisting, VPN requirements, or firewall rules limiting access to trusted internal users only. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the Custom Documentation Endpoint. Additionally, monitor logs for unusual access patterns or repeated requests to the reset_api_docs function. Consider disabling or restricting the API documentation endpoint if it is not essential for daily operations. Regularly review and update API security policies and ensure that sensitive endpoints are protected by authentication and authorization mechanisms. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, Japan, South Korea, India
CVE-2026-2975: Information Disclosure in FastApiAdmin
Description
CVE-2026-2975 is an information disclosure vulnerability in FastApiAdmin versions up to 2. 2. 0, specifically in the reset_api_docs function within the Custom Documentation Endpoint. This flaw allows remote attackers to manipulate the endpoint to gain unauthorized access to sensitive information without requiring authentication or user interaction. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating medium severity. Although no known exploits are currently observed in the wild, a public exploit has been released, increasing the risk of exploitation. The issue impacts confidentiality but does not affect integrity or availability. Organizations using FastApiAdmin for administrative interfaces or API documentation should prioritize patching or mitigating this vulnerability to prevent data leakage.
AI-Powered Analysis
Technical Analysis
CVE-2026-2975 is a medium severity information disclosure vulnerability found in FastApiAdmin, an administrative interface tool built on the FastAPI framework. The vulnerability resides in the reset_api_docs function located in the /backend/app/plugin/init_app.py file, which handles the Custom Documentation Endpoint. This function can be manipulated remotely without any authentication or user interaction, allowing attackers to access sensitive internal information that should otherwise be protected. The flaw does not impact the integrity or availability of the system but compromises confidentiality by exposing potentially sensitive API documentation or internal configuration details. The vulnerability affects FastApiAdmin versions 2.0, 2.1, and 2.2.0. The CVSS 4.0 vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality impact (VC:L). No patches have been linked yet, and while no active exploitation has been observed in the wild, a public exploit is available, increasing the urgency for mitigation. The vulnerability could be leveraged by attackers to gather intelligence for further attacks or reconnaissance within targeted environments.
Potential Impact
The primary impact of CVE-2026-2975 is unauthorized disclosure of sensitive information, which can aid attackers in mapping internal APIs, understanding system configurations, or identifying further vulnerabilities. This can lead to increased risk of targeted attacks such as privilege escalation, data breaches, or lateral movement within networks. Organizations relying on FastApiAdmin for managing API documentation or administrative tasks may inadvertently expose critical information to external attackers. The lack of authentication and user interaction requirements makes this vulnerability easier to exploit remotely, increasing the attack surface. While the vulnerability does not directly disrupt system availability or data integrity, the confidentiality breach can have significant downstream effects, including compliance violations, reputational damage, and facilitation of more severe attacks.
Mitigation Recommendations
To mitigate CVE-2026-2975, organizations should first verify if they are using affected versions of FastApiAdmin (2.0, 2.1, or 2.2.0) and plan immediate upgrades once patches become available. Until official patches are released, restrict access to the reset_api_docs endpoint by implementing network-level controls such as IP whitelisting, VPN requirements, or firewall rules limiting access to trusted internal users only. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the Custom Documentation Endpoint. Additionally, monitor logs for unusual access patterns or repeated requests to the reset_api_docs function. Consider disabling or restricting the API documentation endpoint if it is not essential for daily operations. Regularly review and update API security policies and ensure that sensitive endpoints are protected by authentication and authorization mechanisms. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-22T15:09:00.869Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699bf46dbe58cf853b4576f7
Added to database: 2/23/2026, 6:32:13 AM
Last enriched: 2/23/2026, 6:46:28 AM
Last updated: 2/23/2026, 10:06:52 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2983: Improper Access Controls in SourceCodester Student Result Management System
MediumCVE-2025-41002: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in MANANTIAL DE IDEAS, S.L. Infoticketing
CriticalCVE-2026-2981: Buffer Overflow in UTT HiPER 810G
HighCVE-2026-25747: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
UnknownCVE-2026-23552: CWE-346 Origin Validation Error in Apache Software Foundation Apache Camel
UnknownActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.