CVE-2026-36724 FastapiAdmin DoS Vulnerability: Privilege-Required Service Crash
FastapiAdmin version 2.2.0 contains a flaw in its scheduled task management endpoint that allows authenticated users with appropriate permissions to crash the application by submitting malformed task data. An attacker who has legitimate access and the module_task:job:update permission can trigger an unhandled exception that disrupts service availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36724 is an uncaught exception vulnerability in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0. The vulnerability exists in the scheduled task update functionality and is triggered when an attacker with module_task:job:update permissions manipulates the func field of a scheduled task object. The application fails to validate or safely handle the malicious func field value, resulting in an unhandled exception that crashes or hangs the application process. This is classified as an Improper Resource Validation issue (CWE-400).
Business impact
This vulnerability enables a denial-of-service attack against FastapiAdmin deployments. A user with update permissions on job scheduling—potentially a developer, DevOps engineer, or administrator—can render the job scheduler unavailable. For organizations relying on FastapiAdmin for task automation, data pipeline orchestration, or background job management, repeated or sustained exploitation could disrupt critical operational workflows and delay scheduled maintenance or data processing tasks.
Affected systems
FastapiAdmin version 2.2.0 is affected. Organizations running this version in production environments where users or service accounts hold the module_task:job:update permission are at risk. The vulnerability requires authentication and a specific permission grant, limiting exposure to internal threats or compromised accounts with elevated privileges.
Exploitability
Exploitation requires authentication and the module_task:job:update permission, which moderates the attack surface. The technical barrier to exploitation is low—an attacker need only send a crafted update request to the endpoint with a malicious func field value. No user interaction, network-level navigation, or race conditions are required. The attack is repeatable and reliable, making it a practical denial-of-service vector for authorized insiders or compromised privileged accounts.
Remediation
Upgrade FastapiAdmin to a patched version released after the CVE publication date (June 9, 2026). Verify the vendor advisory for the specific patched release that addresses input validation in the /application/job/update/{id} endpoint. In the interim, restrict the module_task:job:update permission to trusted administrators and monitor logs for unexpected task update requests or application crashes originating from the job endpoint.
Patch guidance
Check the FastapiAdmin project repository or official vendor security advisories for a patched release. The fix should include input validation or exception handling for the func field in scheduled task updates. Apply the patch to your development and staging environments first to verify compatibility with your current configuration and scheduled task definitions. Rolling updates may be necessary if your deployment uses multiple application servers.
Detection guidance
Monitor application logs for uncaught exceptions or stack traces originating from /application/job/update/{id} endpoint requests. Log all calls to this endpoint and correlate them with application crashes or service unavailability. Implement alerting for HTTP 500 responses or exception logs from the job update handler. Network-level monitoring can flag repeated update requests to the same job ID from the same user in short time windows, indicative of an attack.
Why prioritize this
Although this is a MEDIUM-severity vulnerability requiring authentication and specific permissions, its impact is immediate and repeatable—any authorized user can trivially crash the job scheduler. For organizations where task scheduling is operationally critical or where the module_task:job:update permission is held by multiple users, the insider risk and operational disruption justify near-term patching. The low technical barrier to exploitation and absence of KEV status suggests this may not be actively exploited in the wild, but the attack surface warrants prompt remediation.
Risk score, explained
CVSS v3.1 score of 6.5 (MEDIUM) reflects the Denial of Service impact (High availability impact), low attack complexity, network accessibility, and requirement for low privilege (authentication with a specific permission). The score appropriately excludes confidentiality and integrity concerns. The local privilege scope and requirement for a specific permission prevent a higher score despite the ease of exploitation.
Frequently asked questions
Does this vulnerability allow data theft or unauthorized access?
No. This vulnerability only impacts availability. It does not allow an attacker to read, modify, or exfiltrate data. The uncaught exception causes a denial of service but does not bypass authentication or expose sensitive information.
Can an unauthenticated attacker exploit this?
No. The vulnerability requires valid authentication and the module_task:job:update permission. An attacker without valid credentials or the specific permission cannot trigger the flaw.
Is there a workaround if we cannot patch immediately?
Yes. Restrict the module_task:job:update permission to a minimal set of trusted administrators, audit permission assignments, and monitor the job update endpoint for errors. Additionally, implement application-level alerts for crashes tied to job updates so your team can respond quickly if exploitation is attempted.
Will upgrading break our existing scheduled tasks?
Verify against the vendor advisory for any breaking changes. In most cases, a security patch addresses the validation logic without requiring changes to existing task definitions. Test the patched version in a staging environment with a copy of your current task configurations before deploying to production.
This analysis is based on the CVE description and CVSS vector as published. Specific patch version numbers, vendor advisory URLs, and detailed attack surface mapping should be verified against official FastapiAdmin security communications and your own environment. This assessment assumes the CVE description is accurate and does not constitute official vendor guidance. Organizations should consult the FastapiAdmin maintainers for definitive remediation timelines and compatibility information. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint
- CVE-2026-10224MEDIUMNousResearch hermes-agent Webhook Resource Exhaustion Vulnerability