CVE-2026-2975 is a medium severity information disclosure vulnerability found in FastApiAdmin, an administrative interface tool built on the FastAPI framework. The vulnerability resides in the reset_api_docs function located in the /backend/app/plugin/init_app.py file, which handles the Custom Documentation Endpoint. This function can be manipulated remotely without any authentication or user interaction, allowing attackers to access sensitive internal information that should otherwise be protected. The flaw does not impact the integrity or availability of the system but compromises confidentiality by exposing potentially sensitive API documentation or internal configuration details. The vulnerability affects FastApiAdmin versions 2.0, 2.1, and 2.2.0. The CVSS 4.0 vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality impact (VC:L). No patches have been linked yet, and while no active exploitation has been observed in the wild, a public exploit is available, increasing the urgency for mitigation. The vulnerability could be leveraged by attackers to gather intelligence for further attacks or reconnaissance within targeted environments.

The primary impact of CVE-2026-2975 is unauthorized disclosure of sensitive information, which can aid attackers in mapping internal APIs, understanding system configurations, or identifying further vulnerabilities. This can lead to increased risk of targeted attacks such as privilege escalation, data breaches, or lateral movement within networks. Organizations relying on FastApiAdmin for managing API documentation or administrative tasks may inadvertently expose critical information to external attackers. The lack of authentication and user interaction requirements makes this vulnerability easier to exploit remotely, increasing the attack surface. While the vulnerability does not directly disrupt system availability or data integrity, the confidentiality breach can have significant downstream effects, including compliance violations, reputational damage, and facilitation of more severe attacks.

To mitigate CVE-2026-2975, organizations should first verify if they are using affected versions of FastApiAdmin (2.0, 2.1, or 2.2.0) and plan immediate upgrades once patches become available. Until official patches are released, restrict access to the reset_api_docs endpoint by implementing network-level controls such as IP whitelisting, VPN requirements, or firewall rules limiting access to trusted internal users only. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the Custom Documentation Endpoint. Additionally, monitor logs for unusual access patterns or repeated requests to the reset_api_docs function. Consider disabling or restricting the API documentation endpoint if it is not essential for daily operations. Regularly review and update API security policies and ensure that sensitive endpoints are protected by authentication and authorization mechanisms. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.