CVE-2026-34383

Published: Mar 31, 2026Modified: Apr 1, 2026

3.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.1 / Impact: 1.4

Source: NVD

Description

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces. This issue has been patched in version 5.0.8.

Affected (1)

Products: Admidio: Admidio

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Admidio Admidio	Before 5.0.8

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36839

Source: security-advisories@github.com

Patch

https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

Timeline

No history available yet.