Main Vulnerability Database Vulnerabilities #VU132285

Cross-site request forgery in Admidio - CVE-2026-47229

Published: May 25, 2026

Vulnerability identifier: #VU132285

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-47229

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Admidio

Affected software:
Admidio

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a partial denial of service and modify the enabled state of an SSO client.

The vulnerability exists due to cross-site request forgery in modules/sso/clients.php enable mode when handling state-changing requests via GET parameters without CSRF token validation. A remote attacker can trick an authenticated administrator into visiting a crafted page to cause a partial denial of service and modify the enabled state of an SSO client.

User interaction is required, and the issue affects SAML and OIDC client enable or disable operations identified by UUID.

How to mitigate CVE-2026-47229

Install security update from vendor's website.

Sources

https://github.com/Admidio/admidio/security/advisories/GHSA-xg76-5qj2-2hhv

Cross-site request forgery in Admidio - CVE-2026-47229

Detailed vulnerability description

How to mitigate CVE-2026-47229

Sources

Please verify you're human