Site icon Fix I.T. Phill – Your Go-To Tech Guru

Webmin 2.641 Security Update: Patch 2FA and Mailbox Issues

Webmin 2.641 security update patch guide for hosting servers and Virtualmin admins

Webmin 2.641 security update patch guide for hosting servers and Virtualmin admins

June 25-28, 2026: Webmin 2.650, Usermin 2.550, and Webmin 2.651

Update note, July 2, 2026: Webmin has released Webmin 2.650, Usermin 2.550, and then Webmin 2.651. This keeps the earlier 2.641 security guidance current for hosting admins who run Webmin or Virtualmin-managed systems.

Webmin 2.650 adds several admin modules and includes security-relevant fixes around RPC/API-only access, reflected XSS in status messages, SSL certificate login state, proxied keep-alive handling, path validation in File Manager and package helpers, Apache virtual host file handling, and password reset return URL validation in the Authentic theme.

Webmin 2.651 is a smaller follow-up release that fixes Certbot-backed certificate requests and renewals parsing PEM paths after issuance, fixes live activation of Linux bond interfaces, and updates Authentic theme File Manager cleanup behavior.

For exposed admin panels, shared-hosting servers, and Virtualmin hosts, treat this as a normal maintenance-window update: confirm backups, update Webmin/Usermin packages from the trusted channel, verify Webmin login and 2FA behavior, test certificate issue and renewal workflows, check File Manager and package operations, and review Webmin logs after the update.

This update is not an active-exploitation notice. It is a practical patch-and-verify item for servers where Webmin is reachable by admins, customers, or VPN users.

Webmin and Virtualmin are common on self-managed hosting servers, VPS stacks, and small-provider control panels. If Webmin is exposed to administrators or delegated users, the May 2026 Webmin security fixes deserve attention even if the server is not a cPanel or Plesk machine.

The official Webmin security page lists several recent issues fixed around Webmin 2.640 and 2.641, including a two-factor authentication bypass path, mailbox attachment handling problems, and a stored XSS issue in the System and Server Status module. NVD also lists one of the mailbox issues as critical under CVSS 4.0. The practical recommendation is straightforward: update Webmin to 2.641 or later, then review delegated users, exposed access, mail module usage, and logs.

What changed

Webmin 2.640 and 2.641 include security-relevant fixes administrators should not ignore:

NVD had records for CVE-2026-22678, CVE-2026-49102, CVE-2026-49103, and CVE-2026-56022 during this pass. CVE-2026-42210 was listed by Webmin but did not yet return an NVD record in this check. Use the Webmin security page as the primary source for the full cluster and NVD for CVSS detail where available.

Who should patch first

Patch Webmin promptly if any of these are true:

Even where the issue requires an authenticated user or user interaction, hosting servers are high-value targets. A delegated panel user, reused password, stale admin account, or exposed management interface can turn “medium” issues into real operational risk.

Backup and update plan

Before updating a production hosting server, take a recovery point that matches how the machine is hosted:

Then update through the package manager or Webmin’s documented update path for your operating system. Debian and Ubuntu hosts commonly use the Webmin `.deb` package or Webmin repository path. RPM-based hosts commonly use the Webmin `.rpm` package or configured repository. Avoid random mirrors; use the official Webmin downloads and repositories.

After updating

After installing Webmin 2.641 or later, verify the operational state:

If the server is managed for clients, also test the workflows they use: website management, DNS edits, mailboxes, databases, scheduled backups, and any Virtualmin virtual server functions.

Exposure hardening

Do not rely on the Webmin update alone if the panel is broadly exposed. For hosting servers, apply a layered access model:

For web hosts and agencies, customer communication should be simple: the hosting management panel is being updated for security, backups have been checked, and normal website/email service should continue unless a reboot or service restart is required.

Safe verification checklist

Use normal administrative checks only:

Do not run untrusted testing code against production Webmin. The point is to patch, reduce exposure, and verify the panel is healthy, not to test live exploitability.

Official sources

Exit mobile version