CVE-2026-2978 – CVE-2026-2978 is an unrestricted file upload vu... (How to Fix)

Q: What is the severity of CVE-2026-2978?

CVE-2026-2978 has a CVSS score of 6.3 (MEDIUM). CVE-2026-2978 is an unrestricted file upload vulnerability in FastApiAdmin's Scheduled Task API that allows remote attackers to upload arbitrary files without proper validation. This affects FastApiAdmin versions up to 2.2.0, potentially enabling attackers to execute malicious code on affected systems.

📋 TL;DR

CVE-2026-2978 is an unrestricted file upload vulnerability in FastApiAdmin's Scheduled Task API that allows remote attackers to upload arbitrary files without proper validation. This affects FastApiAdmin versions up to 2.2.0, potentially enabling attackers to execute malicious code on affected systems.

💻 Affected Systems

Products:

FastApiAdmin

Versions: up to 2.2.0

Operating Systems: Any OS running FastApiAdmin

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the upload_file_controller function in /backend/app/api/v1/module_system/params/controller.py component.

📦 What is this software?

Fastapiadmin by Fastapiadmin

View all CVEs affecting Fastapiadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

File upload leading to web shell deployment, data manipulation, or denial of service through file system exhaustion.

🟢

If Mitigated

Limited impact with proper file validation, restricted permissions, and network segmentation in place.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available in GitHub repository, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Monitor FastApiAdmin repository for security updates. 2. Upgrade to version above 2.2.0 when available. 3. Review and apply any community patches from security advisories.

🔧 Temporary Workarounds

Implement File Upload Validation

all

Add server-side validation to restrict file types, extensions, and content.

# Modify upload_file_controller to validate file types and extensions
# Implement MIME type checking and file signature validation

Disable Scheduled Task API

all

Temporarily disable the vulnerable API endpoint if not required.

# Comment out or remove the upload_file_controller route in FastApiAdmin configuration

🧯 If You Can't Patch

Implement network segmentation to isolate FastApiAdmin instances from critical systems
Deploy web application firewall (WAF) with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Check FastApiAdmin version and verify if upload_file_controller exists without proper file validation in /backend/app/api/v1/module_system/params/controller.py

Check Version:

Check FastApiAdmin package version or review application configuration files

Verify Fix Applied:

Test file upload functionality with malicious files to ensure proper validation and rejection

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to Scheduled Task API
Large or unexpected file types being uploaded
Multiple failed upload attempts

Network Indicators:

HTTP POST requests to upload endpoints with suspicious file extensions
Unusual outbound connections after file uploads

SIEM Query:

source="fastapi-admin" AND (uri_path="/api/v1/module_system/params/upload" OR method="POST") AND file_extension IN ("php", "jsp", "asp", "exe", "sh")

📊 Metadata

CVE ID: CVE-2026-2978

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

Published: February 23, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-4 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.347362 Permissions Required,VDB Entry
https://vuldb.com/?id.347362 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.756155 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2978, you might also want to check these: