SB20260423147 - Multiple vulnerabilities in Admidio



SB20260423147 - Multiple vulnerabilities in Admidio

Published: April 23, 2026

Security Bulletin ID SB20260423147
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-34381)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the documents upload directory when handling direct HTTP requests for uploaded files. A remote attacker can request a role-restricted document by its direct path to disclose sensitive information.

The issue affects the Docker image because Apache is configured with AllowOverride None, causing the .htaccess deny rule for uploaded documents to be ignored, and the upload response JSON discloses the direct file URL.


2) Cross-site request forgery (CVE-ID: CVE-2026-34382)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to delete custom lists.

The vulnerability exists due to missing csrf protection in mylist_function.php when handling list deletion requests. A remote user can trick a victim into sending a crafted request to delete custom lists.

User interaction is required for exploitation.


3) Improper access control (CVE-ID: CVE-2026-34383)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass form validation.

The vulnerability exists due to improper access control in the inventory item save functionality when handling requests with the imported parameter. A remote user can send a specially crafted request to bypass form validation.

The issue is related to cross-site request forgery handling in the inventory item save process.


4) Cross-site request forgery (CVE-ID: CVE-2026-34384)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform unauthorized registration approval actions, including taking over an existing account.

The vulnerability exists due to cross-site request forgery in modules/registration.php when handling GET-based registration approval requests. A remote privileged user can trick a user with the rol_approve_users right into visiting a crafted URL to perform unauthorized registration approval actions, including taking over an existing account.

User interaction is required, and exploitation requires the attacker to have a pending registration so their user UUID is known from the registration confirmation email.


Remediation

Install update from vendor's website.