SB2026052539 - Multiple vulnerabilities in Admidio
Published: May 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-47234)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log files in the Session::setCookie() and Session::start() logging functionality when debug logging is enabled and session cookies are handled. A local privileged user can read application logs containing session IDs and auto-login cookie values to disclose sensitive information.
The logged values include active session cookies and persistent auto-login cookies, which can be recovered by anyone with access to the log sink.
2) Cross-site request forgery (CVE-ID: CVE-2026-47232)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to trigger unauthorized export of a PKCS#12 bundle containing the private key and certificate.
The vulnerability exists due to cross-site request forgery in modules/sso/keys.php export action when processing a cross-site POST request from an administrator session. A remote attacker can cause the victim's browser to send a specially crafted request to trigger unauthorized export of a PKCS#12 bundle containing the private key and certificate.
Same-origin policy normally prevents direct cross-site reading of the response.
3) Missing Authorization (CVE-ID: CVE-2026-47233)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete inventory fields and associated data.
The vulnerability exists due to missing authorization in modules/inventory.php field_delete handler when processing a crafted POST request to mode=field_delete. A remote user can send a specially crafted request to delete inventory fields and associated data.
Under the default inventory module configuration, any logged-in member can reach the handler, and deleting a non-system field also removes related item data and field option entries.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-47230)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify file names and descriptions in folders they cannot upload to.
The vulnerability exists due to authorization bypass through user-controlled key in modules/documents-files.php mode file_rename_save and DocumentsService::renameFile() when handling file rename requests with a folder_uuid that is checked separately from the target file_uuid. A remote user can send a specially crafted request referencing an uploadable folder_uuid and a viewable file_uuid from another folder to modify file names and descriptions in folders they cannot upload to.
The issue affects files in folders the user can view but not edit, and the file remains in its original folder while its name and description are changed.
5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-47231)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and modify file placement.
The vulnerability exists due to authorization bypass through user-controlled key in modules/documents-files.php move_save handling and File::moveToFolder() when processing mismatched folder_uuid and file_uuid parameters during file move requests. A remote user can submit a crafted move request to disclose sensitive information and modify file placement.
The issue can be exploited by a user who has upload rights on one folder to move a file from a different private source folder into a folder they control before downloading it.
6) Cross-site request forgery (CVE-ID: CVE-2026-47229)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a partial denial of service and modify the enabled state of an SSO client.
The vulnerability exists due to cross-site request forgery in modules/sso/clients.php enable mode when handling state-changing requests via GET parameters without CSRF token validation. A remote attacker can trick an authenticated administrator into visiting a crafted page to cause a partial denial of service and modify the enabled state of an SSO client.
User interaction is required, and the issue affects SAML and OIDC client enable or disable operations identified by UUID.
7) Cross-site request forgery (CVE-ID: CVE-2026-47228)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to reset arbitrary user passwords.
The vulnerability exists due to cross-site request forgery in modules/registration.php send_login mode when handling a crafted top-level navigation request. A remote privileged user can cause a registration administrator to visit a crafted page to reset arbitrary user passwords.
User interaction is required, and the password change occurs even if e-mail delivery fails.
8) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-47227)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify or delete categories belonging to other modules.
The vulnerability exists due to authorization bypass through a user-controlled key in modules/categories.php when processing delete, sequence, or save requests for category UUIDs after validating only the user-supplied type parameter. A remote user can send a specially crafted request with a valid category UUID and an authorized type value to modify or delete categories belonging to other modules.
The intended per-record editability check is never reached because the code compares the category type parameter against mode names, and exploitation requires a valid CSRF token.
9) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-47226)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete files from folders where they only have view access.
The vulnerability exists due to authorization bypass through a user-controlled key in modules/documents-files.php when handling file_delete requests with an attacker-supplied folder_uuid that does not match the file's actual parent folder. A remote user can send a crafted file_delete request using a folder UUID they control and a target file UUID from another folder to delete files from folders where they only have view access.
Exploitation requires a valid member account, upload rights on at least one folder, view rights on the target folder, and knowledge of the target file UUID.
Remediation
Install update from vendor's website.
References
- https://github.com/Admidio/admidio/security/advisories/GHSA-mch8-wf3h-6x88
- https://github.com/Admidio/admidio/blob/v5.0.9/src/Session/Entity/Session.php#L533-L540
- https://github.com/Admidio/admidio/security/advisories/GHSA-4rgq-38mh-9xqg
- https://github.com/Admidio/admidio/blob/v5.0.9/modules/sso/keys.php#L83-L94
- https://github.com/Admidio/admidio/security/advisories/GHSA-xw54-c3mx-9pm3
- https://github.com/Admidio/admidio/commit/d37ca6b27b9674238e58491cf7ba292e66898f15
- https://github.com/Admidio/admidio/security/advisories/GHSA-q6w3-hpfv-rg36
- https://github.com/Admidio/admidio/security/advisories/GHSA-x628-457g-2pw9
- https://github.com/Admidio/admidio/security/advisories/GHSA-xg76-5qj2-2hhv
- https://github.com/Admidio/admidio/security/advisories/GHSA-mx25-j3rc-6w2w
- https://github.com/Admidio/admidio/security/advisories/GHSA-rwjr-qjj3-mq2f
- https://github.com/Admidio/admidio/security/advisories/GHSA-qc4c-hrmc-4f78
- https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f