Main Vulnerability Database Vulnerabilities #VU127157

Improper access control in Admidio - CVE-2026-34381

Published: April 23, 2026

Vulnerability identifier: #VU127157

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34381

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Admidio

Affected software:
Admidio

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the documents upload directory when handling direct HTTP requests for uploaded files. A remote attacker can request a role-restricted document by its direct path to disclose sensitive information.

The issue affects the Docker image because Apache is configured with AllowOverride None, causing the .htaccess deny rule for uploaded documents to be ignored, and the upload response JSON discloses the direct file URL.

How to mitigate CVE-2026-34381

Install security update from vendor's website.

Improper access control in Admidio - CVE-2026-34381

Detailed vulnerability description

How to mitigate CVE-2026-34381

Sources

Please verify you're human